CVE-2026-6807

MEDIUM

NSA GRASSMARLIN Improper Restriction of XML External Entity Reference

Title source: cna

Description

A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.

Exploits (1)

github WORKING POC

by SecTestAnnaQuinn · pythonpoc

https://github.com/SecTestAnnaQuinn/Grassmarlin-CVE-2026-6807-XXE-POC

View Code ZIP pw:eip

References (2)

https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 0.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

NSA/GRASSMARLIN All versions

Published Apr 28, 2026

Tracked Since Apr 29, 2026