CVE-2020-26258

MEDIUM NUCLEI

XStream <1.4.15 - Server-Side Request Forgery via XML Unmarshalling

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2020-26258. PoCs published by JAckLosingHeart, dawetmaster, andikahilmy. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates a deserialization vulnerability in XStream (CVE-2020-26258) by parsing a malicious XML file. The exploit leverages unsafe deserialization to achieve arbitrary code execution.

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Exploits (5)

github WORKING POC 5 stars
by JAckLosingHeart · javapoc
https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/xstream-CVE-2020-26258

This PoC demonstrates a deserialization vulnerability in XStream (CVE-2020-26258) by parsing a malicious XML file. The exploit leverages unsafe deserialization to achieve arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: XStream (versions before 1.4.15)
No auth needed
Prerequisites: malicious XML file (CVE-2020-26258.xml)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-26258-xstream-vulnerable

The repository contains benchmarking code for XStream but lacks any exploit code or technical details related to CVE-2020-26258. It appears to be a placeholder or incomplete repository.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-26258-xstream-vulnerable

The repository contains only benchmarking code and no exploit PoC for CVE-2020-26258. It lacks any functional exploit or technical analysis of the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by cuijiung · poc
https://github.com/cuijiung/xstream-CVE-2020-26258

This repository contains a minimal Java stub for CVE-2020-26258, an XStream deserialization vulnerability. It lacks exploit payloads or malicious XML content, serving only as a basic template for testing.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (versions before 1.4.15)
No auth needed
Prerequisites: XStream library in classpath · malicious XML file (not provided)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Al1ex · poc
https://github.com/Al1ex/CVE-2020-26258

This is a working proof-of-concept for CVE-2020-26258, an SSRF vulnerability in XStream versions before 1.4.15. The exploit leverages deserialization of a crafted XML payload to trigger an SSRF request to an attacker-controlled endpoint.

Classification
Working Poc 100%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: XStream < 1.4.15
No auth needed
Prerequisites: XStream library version < 1.4.15 · Ability to send crafted XML input to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

XStream <1.4.15 - Server-Side Request Forgery
HIGHby pwnhxl

References (14)

Core 14
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
Mailing List, Third Party Advisory x_refsource_misc
https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
Third Party Advisory x_refsource_misc
https://security.netapp.com/advisory/ntap-20210409-0005
Third Party Advisory x_refsource_misc
https://www.debian.org/security/2021/dsa-4828
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://x-stream.github.io/CVE-2020-26258.html

Scores

CVSS v3 6.3
EPSS 0.8144
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-918
Status published
Products (8)
apache/struts < 6.0.0
com.thoughtworks.xstream/xstream 0 - 1.4.15Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
xstream/xstream < 1.4.15
Published Dec 16, 2020
Tracked Since Feb 18, 2026