CVE Vulnerabilities

CVE-2026-12975

Improper Restriction of XML External Entity Reference

Published: Jun 25, 2026 | Modified: Jul 06, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Ubuntu
root.io logo minimus.io logo echo.ai logo

A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.

Weakness

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

NameVendorStart VersionEnd Version
Build_of_apicurio_registryRedhat3.0 (including)3.2 (including)

Potential Mitigations

References