Xmlsoft Libxslt vulnerabilities

CVE-2024-55549 [HIGH] CWE-416 CVE-2024-55549: xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of r xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.

CVE-2025-24855 [HIGH] CWE-416 CVE-2025-24855: numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPa numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

CVE-2022-29824 [MEDIUM] CWE-190 CVE-2022-29824: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is af

CVE-2021-30560 [HIGH] CWE-416 CVE-2021-30560: Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to po Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-5815 [HIGH] CWE-787 CVE-2019-5815: Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

CVE-2019-18197 [HIGH] CWE-416 CVE-2019-18197: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circu In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

CVE-2019-13117 [MEDIUM] CWE-908 CVE-2019-13117: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitiali In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

CVE-2019-13118 [MEDIUM] CWE-843 CVE-2019-13118: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

CVE-2019-11068 [CRITICAL] CVE-2019-11068: libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

CVE-2017-5029 [HIGH] CWE-787 CVE-2017-5029: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome p The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

CVE-2015-9019 [MEDIUM] CWE-330 CVE-2015-9019: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

CVE-2016-4610 [CRITICAL] CVE-2016-4610: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud befo libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-460

CVE-2016-4607 [CRITICAL] CWE-119 CVE-2016-4607: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud befo libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-

CVE-2016-4608 [CRITICAL] CVE-2016-4608: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud befo libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-460

CVE-2016-4609 [CRITICAL] CVE-2016-4609: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud befo libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-460

CVE-2016-1683 [HIGH] CWE-119 CVE-2016-1683: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespa numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.

CVE-2016-1684 [HIGH] CVE-2016-1684: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i f numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.

CVE-2015-7995 [MEDIUM] CVE-2015-7995: The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue.

CVE-2013-4520 [MEDIUM] CVE-2013-4520: xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (cra xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.

CVE-2012-6139 [MEDIUM] CVE-2012-6139: libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (1) empty match attribute in a XSL key to the xsltAddKey function in keys.c or (2) uninitialized variable to the xsltDocumentFunction function in functions.c.