CVE-2025-48006
CRITICALDataSpider Servista <= 4.4 - XML External Entity Injection
Title source: llmDescription
Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. If a specially crafted request is processed, arbitrary files on the file system where the server application for the product is installed may be read, or a denial-of-service (DoS) condition may occur.
References (2)
Core 2
Core References
Third Party Advisory
https://jvn.jp/en/jp/JVN23423519/
Third Party Advisory
https://www.hulft.com/application/files/1217/5885/0217/information_20250926.pdf
Scores
CVSS v3
9.1
EPSS
0.0049
EPSS Percentile
37.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (1)
saison/dataspider_servista
< 4.4
Published
Sep 29, 2025
Tracked Since
Feb 18, 2026