cbcvebase.
CVE-2025-8732
published 2025-08-08

CVE-2025-8732: A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the…

PriorityP413low3.3CVSS 3.1
AVLACLPRLUINSUCNINAL
EPSS
0.14%
3.3th percentile
A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
debianlibxml2
ibmaix
ibmaix>= 7.2.5 < 7.2.5.127.2.5.12
ibmaix>= 7.3.2 < 7.3.3.37.3.3.3
ibmvios
ibmvios>= 4.1.0 < 4.1.1.304.1.1.30
msrcazl3_libxml2_2.11.5-6_on_azure_linux_3.0
msrcazl3_libxml2_2.11.5-7_on_azure_linux_3.0
msrcazl3_libxml2_2.11.5-8_on_azure_linux_3.0
msrcazl3_libxml2_2.11.5-9_on_azure_linux_3.0
msrccbl2_libxml2_2.10.4-10_on_cbl_mariner_2.0
msrccbl2_libxml2_2.10.4-11_on_cbl_mariner_2.0
msrccbl2_libxml2_2.10.4-8_on_cbl_mariner_2.0
msrccbl2_libxml2_2.10.4-9_on_cbl_mariner_2.0
siemensruggedcom_rst2428p_firmware< 4.04.0
xmlsoftlibxml2< 2.15.22.15.2
xmlsoftlibxml2
xmlsoftlibxml2
xmlsoftlibxml2
xmlsoftlibxml2
xmlsoftlibxml2
xmlsoftlibxml2
xmlsoftlibxml2>= 0 < 2.9.13+dfsg-1ubuntu0.112.9.13+dfsg-1ubuntu0.11
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.3ubuntu3.72.9.14+dfsg-1.3ubuntu3.7
xmlsoftlibxml2>= 0 < 2.14.5+dfsg-0.2ubuntu0.12.14.5+dfsg-0.2ubuntu0.1

CVSS provenance

nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
nvdv4.01.9LOWCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.01.7LOWAV:L/AC:L/Au:S/C:N/I:N/A:P
osv4.8MEDIUM
vendor_debian4.8LOW
vendor_redhat4.8MEDIUM
vendor_msrc3.3LOW
vendor_ubuntu3.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.