CVE-2020-26259— XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-26259
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling
Source: NVD (National Vulnerability Database)
Vulnerability Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
XStream 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
XStream是XStream(Xstream)团队的一个轻量级的、简单易用的开源Java类库,它主要用于将对象序列化成XML(JSON)或反序列化为对象。 XStream 1.1.14版本及之前版本操作系统存在操作系统命令注入漏洞。该漏洞可能允许远程攻击者删除主机上的任意已知文件作为日志。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2020-26259
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights. | https://github.com/jas502n/CVE-2020-26259 | POC Details |
| 2 | CVE-2020-26259 &&XStream Arbitrary File Delete | https://github.com/Al1ex/CVE-2020-26259 | POC Details |
| 3 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/XStream%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%20CVE-2020-26259.md | POC Details |
| 4 | None | https://github.com/cuijiung/xstream-CVE-2020-26259 | POC Details |
| 5 | None | https://github.com/andikahilmy/CVE-2020-26259-xstream-vulnerable | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-26259
请登录查看更多情报信息。
- https://x-stream.github.io/CVE-2020-26259.htmlx_refsource_MISC
- https://security.netapp.com/advisory/ntap-20210409-0005/x_refsource_CONFIRM
- https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fhx_refsource_CONFIRM
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/vendor-advisoryx_refsource_FEDORA
- https://nvd.nist.gov/vuln/detail/CVE-2020-26259
IV. Related Vulnerabilities
Same product: xstream
- CVE-2024-47072
XStream is vulnerable to a Denial of Service attack due to s - CVE-2022-41966
XStream Denial of Service via stack overflow - CVE-2022-40151
Stack Buffer Overflow in xstream - CVE-2021-43859
Denial of Service by injecting highly recursive collections - CVE-2021-39150
A Server-Side Forgery Request vulnerability in XStream via P
Same vendor: x-stream
- CVE-2024-47072
XStream is vulnerable to a Denial of Service attack due to s - CVE-2022-41966
XStream Denial of Service via stack overflow - CVE-2021-43859
Denial of Service by injecting highly recursive collections - CVE-2021-39150
A Server-Side Forgery Request vulnerability in XStream via P - CVE-2021-39152
A Server-Side Forgery Request vulnerability in XStream via H
Same weakness: CWE-78
- CVE-2026-8273
D-Link DNS-320 system_mgr.cgi cgi_merge_user os command inje - CVE-2026-8272
D-Link DNS-320 webfile_mgr.cgi chown os command injection - CVE-2026-8271
D-Link DNS-320 network_mgr.cgi cgi_upnp_edit os command inje - CVE-2026-8265
Tenda AC6 httpd getLogFile get_log_file os command injection - CVE-2026-8264
Tenda AC6 httpd WifiApScan formWifiApScan os command injecti
V. Comments for CVE-2020-26259
No comments yet