CVE-2024-13971

HIGH

Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro

Title source: cna

Description

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

References (2)

Core 2

Core References

https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/

Mailing List

http://seclists.org/fulldisclosure/2026/May/1

Scores

CVSS v3 7.5

EPSS 0.0047

EPSS Percentile 36.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (3)

Lobster GmbH/Lobster_pro < 4.12.6-GA

Lobster GmbH/Lobster_pro 4.12.6-GA

lobster-world/lobster_pro < 4.12.6-ga

Published Apr 30, 2026

Tracked Since Apr 30, 2026