CVE-2024-40896

CRITICAL

libxml2 <2.11.9-2.13.3 - XSS

Title source: llm

Description

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

References (3)

[Issue Tracking] https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6

[Issue Tracking] https://gitlab.gnome.org/GNOME/libxml2/-/issues/761

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250228-0004/

Scores

CVSS v3 9.1

EPSS 0.0055

EPSS Percentile 68.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (9)

netapp/h300s_firmware

netapp/h410c_firmware

netapp/h410s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

netapp/hci_compute_node

netapp/solidfire_\&_hci_management_node

netapp/solidfire_\&_hci_storage_node

xmlsoft/libxml2 2.11.0 - 2.11.9

Published Dec 23, 2024

Tracked Since Feb 18, 2026