← Retour aux CVEs
CVE-2026-34401
MEDIUM6.5
Description
XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.
Details CVE
Score CVSS v3.16.5
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurREQUIRED
Publie3/31/2026
Derniere modification4/1/2026
Sourcenvd
Observations honeypot0
Faiblesses (CWE)
CWE-611
References
https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c(security-advisories@github.com)
https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53(security-advisories@github.com)
https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21(security-advisories@github.com)
https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch(security-advisories@github.com)
https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.