Primary

Context

Mustang XXE Vulnerability in ZUGFeRDInvoiceImporter Allowing File Exfiltration

Vulnerability

A vulnerability in Mustang versions prior to 2.16.3 allows XML External Entity (XXE) attacks, which can be exploited to exfiltrate files. The issue arises because the ZUGFeRDInvoiceImporter component uses a DocumentBuilder that has XXE processing enabled by default, leaving it susceptible to such attacks.

Impact

Exploitation of this vulnerability allows for XXE attacks, where an attacker can manipulate XML data to access or exfiltrate files from the server.

Reproduction

The vulnerability can be reproduced by using the ZUGFeRDInvoiceImporter class to process an XML file that includes external entities. The default DocumentBuilder will parse these entities, leading to potential file exfiltration.

Remediation

Users can upgrade to Mustang version 2.16.3 or later, where this vulnerability has been addressed.

Added: Nov 28, 2025, 4:17 AM

Updated: Nov 28, 2025, 4:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

5.3

remediation

7.7

relevance

1.2

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

5.3

remediation

7.7

relevance

1.2

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mustang XXE Vulnerability in ZUGFeRDInvoiceImporter Allowing File Exfiltration

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating