CVE-2024-40896
published 2024-12-23CVE-2024-40896: In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers…
PriorityP348critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
1.19%
64.1th percentile
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | — | — |
| libxml2 | libxml2 | >= 2.11.0 < 2.11.9 | 2.11.9 |
| libxml2 | libxml2 | >= 2.12.0 < 2.12.9 | 2.12.9 |
| libxml2 | libxml2 | >= 2.13.0 < 2.13.3 | 2.13.3 |
| msrc | azl3_libxml2_2.11.5-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_libxml2_2.11.5-5_on_azure_linux_3.0 | — | — |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg-3ubuntu0.1 | 2.12.7+dfsg-3ubuntu0.1 |
| xmlsoft | libxml2 | >= 2.11.0 < 2.11.9 | 2.11.9 |
| xmlsoft | libxml2 | >= 2.12.0 < 2.12.9 | 2.12.9 |
| xmlsoft | libxml2 | >= 2.13.0 < 2.13.3 | 2.13.3 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
osv9.1CRITICAL
vendor_debian9.1LOW
vendor_msrc9.1CRITICAL
vendor_oracle9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (libxml2) — CVE-2024-40896
vendor_oracle·2025-04-15·CVSS 9.1
CVE-2024-40896 [CRITICAL] Oracle Oracle Communications Applications Risk Matrix: Core (libxml2) — CVE-2024-40896
Oracle Oracle Communications Applications Risk Matrix: Core (libxml2) vulnerability
CVE: CVE-2024-40896
CVSS: 9.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2025 (APR 2025)
Ubuntu
libxml2 vulnerability
vendor_ubuntu·2025-01-16
CVE-2024-40896 libxml2 vulnerability
Title: libxml2 vulnerability
Summary: libxml2 could be made to expose sensitive information over the network.
Xisco Fauli discovered that libxml2 incorrectly handled custom SAX
handlers. A remote attacker could possibly use this issue to perform XML
External Entity (XXE) attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libxml2: XXE vulnerability
vendor_redhat·2024-12-23·CVSS 9.1
CVE-2024-40896 [CRITICAL] CWE-611 libxml2: XXE vulnerability
libxml2: XXE vulnerability
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
A flaw was found in libxml2. In the affected versions of libxml2, the SAX parser can generate events for external entities, even if custom SAX handlers try to override entity content by setting it to "checked." This vulnerability allows classic XML External Entity (XXE) attacks.
Statement: This vulnerability is marked as critical severity instead of important due to its potential to completely compromise system security. By exploiting the XXE vulnerability, an attacker can achieve arbitrary file disclosure (e.
Microsoft
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by settin
vendor_msrc·2024-12-10·CVSS 9.1
CVE-2024-40896 [CRITICAL] CWE-611 In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by settin
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Pygments) — CVE-2022-40896
vendor_oracle·2024-04-15·CVSS 5.5
CVE-2022-40896 [MEDIUM] Oracle Oracle Communications Risk Matrix: Install/Upgrade (Pygments) — CVE-2022-40896
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Pygments) vulnerability
CVE: CVE-2022-40896
CVSS: 5.5
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuapr2024 (APR 2024)
Oracle
Oracle Oracle Utilities Applications Risk Matrix: NMS Monitor (Pygments) — CVE-2022-40896
vendor_oracle·2024-01-15·CVSS 5.5
CVE-2022-40896 [MEDIUM] Oracle Oracle Utilities Applications Risk Matrix: NMS Monitor (Pygments) — CVE-2022-40896
Oracle Oracle Utilities Applications Risk Matrix: NMS Monitor (Pygments) vulnerability
CVE: CVE-2022-40896
CVSS: 5.5
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpujan2024 (JAN 2024)
Debian
CVE-2024-40896: libxml2 - In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the S...
vendor_debian·2024·CVSS 9.1
CVE-2024-40896 [CRITICAL] CVE-2024-40896: libxml2 - In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the S...
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-6c2p-rqx3-w4px: In libxml2 2
ghsa_unreviewed·2024-12-23
CVE-2024-40896 [CRITICAL] CWE-611 GHSA-6c2p-rqx3-w4px: In libxml2 2
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
OSV
CVE-2024-40896: In libxml2 2
osv·2024-12-23·CVSS 9.1
CVE-2024-40896 [CRITICAL] CVE-2024-40896: In libxml2 2
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
Suricata
ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)
suricata·2025-10-10·CVSS 9.8
CVE-2023-40902 [CRITICAL] ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)
ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:20; content:"/goform/SetIpMacBind"; fast_pattern; http.request_body; pcre:"/(?:list|component|bindnum)\x3d[^&]{100,}(?:&|$)/"; reference:cve,2023-40902; reference:cve,2025-9089; reference:cve,2025-1853; reference:url,github.com/peris-navince/founded-0-days/blob/main/Tenda/ac10/SetIpMac
No public exploits indexed.
Qualys
Oracle Critical Patch Update, April 2025 Security Update Review
blogs_qualys·2025-04-16
Oracle Critical Patch Update, April 2025 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Oracle released its first quarterly edition of this year’s Critical Patch Update. The update received patches for 378 s ecurity vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 103, constituting about 27% of the total patches released. Oracle MySQL and Oracle Communications Applications followed, with 43 and 42 security patches.
300 of the 378 security patches provided by the April Critical Patch Update (about 79%) are for non-Ora
Qualys
Oracle Critical Patch Update, April 2025 Security Update Review | Qualys
blogs_qualys·2025-04-16
Oracle Critical Patch Update, April 2025 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
Oracle released its first quarterly edition of this year’s Critical Patch Update. The update received patches for 378 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 103, constituting about 27% of the total patches released. Oracle MySQL and Oracle Communications Applications followed, with 43 and 42 security patches.
300 of the 378 security patches provided by the April Critical Patch Update (about 79%) are for non
Bugzilla
CVE-2024-40896 libxml2: XXE vulnerability
bugzilla·2024-12-23·CVSS 9.1
CVE-2024-40896 [CRITICAL] CVE-2024-40896 libxml2: XXE vulnerability
CVE-2024-40896 libxml2: XXE vulnerability
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
Bugzilla
CVE-2022-40896 pygments: ReDoS in pygments
bugzilla·2023-11-27·CVSS 5.5
CVE-2022-40896 [MEDIUM] CVE-2022-40896 pygments: ReDoS in pygments
CVE-2022-40896 pygments: ReDoS in pygments
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
Discussion:
Created python-pip tracking bugs for this issue:
Affects: fedora-all [bug 2253941]
---
Created mingw-python-pygments tracking bugs for this issue:
Affects: fedora-all [bug 2259081]
Created python-pygments tracking bugs for this issue:
Affects: fedora-all [bug 2259082]
Created python-pygments2 tracking bugs for this issue:
Affects: epel-all [bug 2259080]
---
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
---
This issue has been addressed in t
2024-12-23
Published