CVE-2026-42212
HIGHSolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-laughs DoS in VMID parser
Title source: cnaDescription
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9
X_Refsource_Misc x_refsource_misc
https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d
X_Refsource_Misc x_refsource_misc
https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102--2026-04-20
X_Refsource_Misc x_refsource_misc
https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2
Scores
CVSS v4
7.1
EPSS
0.0004
EPSS Percentile
12.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Details
CWE
CWE-400
CWE-611
CWE-776
Status
published
Products (1)
anzory/SolidCAM-GPPL-IDE
>= 1.0.0, < 1.0.2
Published
May 08, 2026
Tracked Since
May 09, 2026