Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2023-52426

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Published: Feb 04, 2024 | Modified: Nov 04, 2025
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5.5 MODERATE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-52426
CWEhttps://cwe.mitre.org/data/definitions/776.html

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

Weakness

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * 2.5.0 (including)
Apache2 Ubuntu trusty *
Apr-util Ubuntu trusty *
Ayttm Ubuntu trusty *
Ayttm Ubuntu xenial *
Cableswig Ubuntu trusty *
Cableswig Ubuntu xenial *
Cadaver Ubuntu bionic *
Cadaver Ubuntu focal *
Cadaver Ubuntu mantic *
Cadaver Ubuntu oracular *
Cadaver Ubuntu trusty *
Cadaver Ubuntu xenial *
Cmake Ubuntu trusty *
Coin3 Ubuntu bionic *
Coin3 Ubuntu trusty *
Coin3 Ubuntu trusty/esm *
Coin3 Ubuntu xenial *
Expat Ubuntu bionic *
Expat Ubuntu devel *
Expat Ubuntu noble *
Expat Ubuntu oracular *
Expat Ubuntu plucky *
Expat Ubuntu questing *
Expat Ubuntu trusty *
Expat Ubuntu upstream *
Expat Ubuntu xenial *
Firefox Ubuntu bionic *
Firefox Ubuntu trusty *
Firefox Ubuntu xenial *
Gdcm Ubuntu trusty *
Ghostscript Ubuntu trusty *
Insighttoolkit4 Ubuntu bionic *
Insighttoolkit4 Ubuntu focal *
Insighttoolkit4 Ubuntu trusty *
Insighttoolkit4 Ubuntu xenial *
Libxmltok Ubuntu bionic *
Libxmltok Ubuntu trusty *
Libxmltok Ubuntu xenial *
Matanza Ubuntu bionic *
Matanza Ubuntu devel *
Matanza Ubuntu esm-apps/bionic *
Matanza Ubuntu esm-apps/focal *
Matanza Ubuntu esm-apps/jammy *
Matanza Ubuntu esm-apps/noble *
Matanza Ubuntu esm-apps/xenial *
Matanza Ubuntu focal *
Matanza Ubuntu jammy *
Matanza Ubuntu mantic *
Matanza Ubuntu noble *
Matanza Ubuntu oracular *
Matanza Ubuntu plucky *
Matanza Ubuntu questing *
Matanza Ubuntu trusty *
Matanza Ubuntu xenial *
Smart Ubuntu trusty *
Swish-e Ubuntu bionic *
Swish-e Ubuntu focal *
Swish-e Ubuntu mantic *
Swish-e Ubuntu oracular *
Swish-e Ubuntu trusty *
Swish-e Ubuntu xenial *
Tdom Ubuntu bionic *
Tdom Ubuntu focal *
Tdom Ubuntu mantic *
Tdom Ubuntu oracular *
Tdom Ubuntu trusty *
Tdom Ubuntu xenial *
Texlive-bin Ubuntu trusty *
Thunderbird Ubuntu bionic *
Thunderbird Ubuntu mantic *
Thunderbird Ubuntu trusty *
Thunderbird Ubuntu xenial *
Vnc4 Ubuntu bionic *
Vnc4 Ubuntu trusty *
Vnc4 Ubuntu xenial *
Vtk Ubuntu trusty *
Vtk Ubuntu trusty/esm *
Vtk Ubuntu xenial *
Wbxml2 Ubuntu bionic *
Wbxml2 Ubuntu oracular *
Wbxml2 Ubuntu trusty *
Wbxml2 Ubuntu xenial *
Xmlrpc-c Ubuntu bionic *
Xmlrpc-c Ubuntu oracular *
Xmlrpc-c Ubuntu trusty *
Xmlrpc-c Ubuntu xenial *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use