Primary

Context

OpenXRechnungToolbox XML External Entity Injection Vulnerability

Vulnerability

A XML External Entity (XXE) injection vulnerability has been identified in OpenXRechnungToolbox versions through 2024-10-05-3.0.0 prior to commit 6c50e89. The vulnerability arises because the 'disallow-doctype-decl' feature is not enabled, allowing for potential exploitation of XML parsing.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, which can lead to unauthorized file access and exfiltration.

Remediation

The vulnerability has been fixed in the project's Git repository, but no new release has been published yet.

Added: Dec 24, 2025, 6:18 AM

Updated: Dec 24, 2025, 6:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

6.0

remediation

0.0

relevance

1.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

6.0

remediation

0.0

relevance

1.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenXRechnungToolbox XML External Entity Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating