EIP-2026-119674

This exploit demonstrates an XXE (XML External Entity) injection vulnerability in ExpertGPS 6.38, allowing an attacker to exfiltrate local files by crafting a malicious .gpx file. The PoC includes a DTD file and a malicious XML payload that, when imported, sends the contents of a local file to an attacker-controlled server.