cbcvebase.
CVE-2024-40896
published 2024-12-23

CVE-2024-40896: In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers…

PriorityP348critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
1.19%
64.1th percentile
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianlibxml2
libxml2libxml2>= 2.11.0 < 2.11.92.11.9
libxml2libxml2>= 2.12.0 < 2.12.92.12.9
libxml2libxml2>= 2.13.0 < 2.13.32.13.3
msrcazl3_libxml2_2.11.5-2_on_azure_linux_3.0
msrcazl3_libxml2_2.11.5-5_on_azure_linux_3.0
xmlsoftlibxml2>= 0 < 2.12.7+dfsg-3ubuntu0.12.12.7+dfsg-3ubuntu0.1
xmlsoftlibxml2>= 2.11.0 < 2.11.92.11.9
xmlsoftlibxml2>= 2.12.0 < 2.12.92.12.9
xmlsoftlibxml2>= 2.13.0 < 2.13.32.13.3

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
osv9.1CRITICAL
vendor_debian9.1LOW
vendor_msrc9.1CRITICAL
vendor_oracle9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.