CVE-2020-26259

MEDIUM

XStream <1.4.15 - File Deletion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2020-26259. PoCs published by jas502n, JAckLosingHeart, Al1ex.

AI-analyzed exploit summary This repository contains proof-of-concept exploits for CVE-2020-26259 (arbitrary file deletion) and CVE-2020-26258 (SSRF) in XStream versions up to 1.4.14. The exploits leverage deserialization vulnerabilities to trigger malicious behavior.

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Exploits (6)

nomisec WORKING POC 25 stars
by jas502n · poc
https://github.com/jas502n/CVE-2020-26259

This repository contains proof-of-concept exploits for CVE-2020-26259 (arbitrary file deletion) and CVE-2020-26258 (SSRF) in XStream versions up to 1.4.14. The exploits leverage deserialization vulnerabilities to trigger malicious behavior.

Classification
Working Poc 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: XStream (versions up to and including 1.4.14)
No auth needed
Prerequisites: XStream library in the classpath · Ability to send crafted XML payloads to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github STUB 5 stars
by JAckLosingHeart · javapoc
https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/xstream-CVE-2020-26259

The repository contains a minimal Java code snippet that initializes XStream and deserializes an XML file, but lacks the actual exploit payload or technical details. It is incomplete and does not demonstrate the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (versions affected by CVE-2020-26259)
No auth needed
Prerequisites: XML file with malicious payload (not provided)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2020-26259

This PoC demonstrates an arbitrary file deletion vulnerability in XStream versions <= 1.4.14 via crafted XML input during unmarshalling. The exploit leverages deserialization to trigger file deletion on the local host.

Classification
Working Poc 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: XStream <= 1.4.14
No auth needed
Prerequisites: XStream library in classpath · Sufficient permissions to delete target file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-26259-xstream-vulnerable

This repository contains benchmarking code for XStream but lacks any exploit code or technical analysis related to CVE-2020-26259. The files are part of a performance testing framework and do not demonstrate the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-26259-xstream-vulnerable

The repository contains benchmarking code for XStream but lacks any exploit code or technical analysis related to CVE-2020-26259. It appears to be a placeholder or incomplete repository.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by cuijiung · poc
https://github.com/cuijiung/xstream-CVE-2020-26259

This repository contains a minimal Java stub for CVE-2020-26259, an XStream deserialization vulnerability. The code initializes XStream and attempts to deserialize XML from a file, but lacks the exploit payload or detailed context.

Classification
Stub 80%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (versions before 1.4.15)
No auth needed
Prerequisites: XStream library in classpath · Malicious XML file (CVE-2020-26259.xml)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://x-stream.github.io/CVE-2020-26259.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4828
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210409-0005/

Scores

CVSS v3 6.8
EPSS 0.8105
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

CWE
CWE-78
Status published
Products (8)
apache/struts < 6.0.0
com.thoughtworks.xstream/xstream 0 - 1.4.15Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
xstream/xstream < 1.4.15
Published Dec 16, 2020
Tracked Since Feb 18, 2026