CVE-2020-26247XML External Entity (XXE) Injection in Nokogiri

CWE-611XML External Entity (XXE) Injection8 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.7%
top 27.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Sparklemotion NokogiriNokogiriDebian Ruby-nokogiri+1 more
Timeline
PublishedDec 30
Latest updateJul 21

Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. Thi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDnokogiri/nokogiri< 1.11.0+1
RubyGemsnokogiri/nokogiri< 1.11.0
debiandebian/ruby-nokogiri< ruby-nokogiri 1.11.1+dfsg-1 (bookworm)
CVEListV5sparklemotion/nokogiri< 1.11.0.rc4

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
ruby-nokogiri vulnerabilities2025-07-21
GHSA
Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability2020-12-30
OSV
Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability2020-12-30
OSV
CVE-2020-26247: Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support2020-12-30

📋Vendor Advisories

3
Ubuntu
Nokogiri vulnerabilities2025-07-21
Red Hat
rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema2020-12-30
Debian
CVE-2020-26247: ruby-nokogiri - Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath an...2020