CVE-2021-23926
CRITICALApache XMLBeans <= 2.6.0 - XML External Entity Injection
Title source: llmDescription
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
References (8)
Core 8
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/XMLBEANS-517
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210513-0004/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Product, Vendor Advisory x_refsource_misc
https://poi.apache.org/
Scores
CVSS v3
9.1
EPSS
0.0627
EPSS Percentile
92.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-776
Status
published
Products (11)
apache/xmlbeans
< 2.6.0
debian/debian_linux
9.0
netapp/oncommand_unified_manager_core_package
netapp/snap_creator_framework
netapp/snapmanager
(2 CPE variants)
oracle/middleware_common_libraries_and_tools
12.2.1.3.0
oracle/middleware_common_libraries_and_tools
12.2.1.4.0
oracle/peoplesoft_enterprise_peopletools
8.57
oracle/peoplesoft_enterprise_peopletools
8.58
oracle/peoplesoft_enterprise_peopletools
8.59
... and 1 more
Published
Jan 14, 2021
Tracked Since
Feb 18, 2026