CVE-2026-34401— XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading

XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

XML外部实体引用的不恰当限制(XXE)

XmlNotepad 代码问题漏洞

XmlNotepad是Microsoft开源的一个XML文档浏览与编辑工具。 XmlNotepad 2.9.0.21之前版本存在代码问题漏洞，该漏洞源于默认未禁用DTD处理，可能导致解析恶意XML文件时泄露本地文件内容或凭据。

N/A

N/A