CVE-2024-31573

MEDIUM

XMLUnit for Java <2.10.0 - Code Injection

Title source: llm

Description

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

References (3)

[Various Sources] https://github.com/advisories/GHSA-chfm-68vv-pvw5

[Patch] https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/xmlunit/xmlunit/issues/264

Scores

CVSS v3 4.0

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-669

Status published

Products (2)

org.xmlunit/xmlunit-core 0 - 2.10.0Maven

XMLUnit/XMLUnit for Java 2.0.0 - 2.10.0

Published Oct 17, 2025

Tracked Since Feb 18, 2026