Threats Tagged 'cwe-91'

samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0.

pam_usb versions prior to 0. 9. 0 are vulnerable to an XML Injection (Blind XPath Injection) due to improper validation of user- and device-supplied identifiers used in XPath queries against /etc/pamusb. conf. This allows injection of arbitrary XPath predicates. The vulnerability is fixed in version 0. 9. 0. The CVSS score is 6. 5, indicating a medium severity issue.

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.

CVE-2026-32870 is an XML Injection vulnerability in the getkirby CMS affecting versions prior to 4. 9. 0 and between 5. 0. 0 and before 5. 4. 0. The issue arises from improper handling of CDATA blocks in the Xml::value() method, allowing structured data outside valid CDATA blocks to bypass escaping protections. This vulnerability can be exploited if site or plugin code uses the vulnerable XML generation methods to create XML strings from input data, potentially enabling manipulation of systems that process these XML files. The vulnerability does not affect Kirby core functionality or sites that do not use XML generation in site or plugin code.

Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible

MediumVulnerabilityUnited StatesCanadaUnited Kingdom+7#cve#cve-2026-28770#cwe-91

CVE-2026-1554 is an XML Injection vulnerability, specifically a Blind XPath Injection, found in the Drupal Central Authentication System (CAS) Server versions before 2. 0. 3 and between 2. 1. 0 and 2. 1. 2. This vulnerability allows an attacker with limited privileges to escalate their privileges by manipulating XML input used in authentication processes. The CVSS score is 4. 2, indicating a medium severity level, with network attack vector but requiring high attack complexity and low privileges.

MediumVulnerabilityGermanyFranceNetherlands+3#cve#cve-2026-1554#cwe-91

An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

HighVulnerabilityGermanyUnited KingdomFrance+3#cve#cve-2025-1545#cwe-91