CVE-2024-40896

CRITICAL9.1EPSS 0.55%

Published: 5/6/2026Modified: 5/8/2026

Description

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

Affected packages (3)

Bitnami/javafrom 0, < 1.8.0, >= 1.9.0, < 8.0.461
Bitnami/java-minfrom 0, < 1.8.0, >= 1.9.0, < 8.0.461
Bitnami/jrefrom 0, < 1.8.0, >= 1.9.0, < 8.0.461

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (4)

WEBhttps://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
WEBhttps://gitlab.gnome.org/GNOME/libxml2/-/issues/761
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-40896
WEBhttps://security.netapp.com/advisory/ntap-20250228-0004/