CVE-2026-6807

MEDIUM

NSA GRASSMARLIN Improper Restriction of XML External Entity Reference

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-6807. PoCs published by adminlove520, SecTestAnnaQuinn.

AI-analyzed exploit summary This repository contains functional proof-of-concept code for CVE-2026-6807, an XXE (XML External Entity) vulnerability in Grassmarlin. The exploit leverages malicious DTD references to exfiltrate arbitrary files via out-of-band (OOB) callbacks, chunking the data to bypass input restrictions.

Description

A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.

Exploits (2)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-6807

View Code ZIP pw:eip

This repository contains functional proof-of-concept code for CVE-2026-6807, an XXE (XML External Entity) vulnerability in Grassmarlin. The exploit leverages malicious DTD references to exfiltrate arbitrary files via out-of-band (OOB) callbacks, chunking the data to bypass input restrictions.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Grassmarlin (version not specified, but requires bundled Java)

No auth needed

Prerequisites: Victim must open a malicious .gm3 session file · Attacker must control a relay server to receive exfiltrated data · Victim system must use the bundled Java version (newer versions may block XXE)

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 17, 2026 Full analysis →

github WORKING POC

by SecTestAnnaQuinn · pythonpoc

https://github.com/SecTestAnnaQuinn/Grassmarlin-CVE-2026-6807-XXE-POC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-6807, an XXE vulnerability in Grassmarlin. The exploit leverages external DTD references to exfiltrate arbitrary files via chunked base64-encoded data, bypassing logging and newer Java protections.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Grassmarlin (version not specified)

No auth needed

Prerequisites: Victim must open a malicious .gm3 file · Attacker must control a relay server · Grassmarlin must use the bundled Java version

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 29, 2026 Full analysis →

References (2)

Core 2

Core References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json

View Writeup ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0020

EPSS Percentile 9.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

NSA/GRASSMARLIN All versions

Published Apr 28, 2026

Tracked Since Apr 29, 2026