Description
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc
Scores
CVSS v3
7.6
EPSS
0.0025
EPSS Percentile
15.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (2)
io.openremote/openremote-manager
0 - 1.22.0Maven
openremote/openremote
< 1.22.0 (2 CPE variants)
Published
Apr 22, 2026
Tracked Since
Apr 23, 2026