Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    GHSA-9MV7-3C64-MMQW

    Vulnerability from github – Published: 2025-09-10 20:44 – Updated: 2025-09-29 14:03
    VLAI
    Summary
    xml2rfc is vulnerable to arbitrary file reads through prepped files
    Details

    Impact

    When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

    Workarounds

    Test untrusted input with link elements with rel="attachment" before processing.

    References

    This is related to GHSA-cfmv-h8fx-85m7.

    Show details on source website

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "xml2rfc"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "3.30.2"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        }
      ],
      "aliases": [
        "CVE-2025-11059"
      ],
      "database_specific": {
        "cwe_ids": [
          "CWE-22"
        ],
        "github_reviewed": true,
        "github_reviewed_at": "2025-09-10T20:44:58Z",
        "nvd_published_at": null,
        "severity": "HIGH"
      },
      "details": "### Impact\n\nWhen generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.\n\n### Workarounds\n\nTest untrusted input with `link` elements with `rel=\"attachment\"` before processing.\n\n### References\nThis is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).",
      "id": "GHSA-9mv7-3c64-mmqw",
      "modified": "2025-09-29T14:03:39Z",
      "published": "2025-09-10T20:44:58Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw"
        },
        {
          "type": "WEB",
          "url": "https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/ietf-tools/xml2rfc"
        },
        {
          "type": "WEB",
          "url": "https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
          "type": "CVSS_V4"
        }
      ],
      "summary": "xml2rfc is vulnerable to arbitrary file reads through prepped files"
    }

    PYSEC-2026-2057

    Vulnerability from pysec - Published: 2026-07-07 16:03 - Updated: 2026-07-07 17:25
    VLAI
    Details

    Impact

    When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

    Workarounds

    Test untrusted input with link elements with rel="attachment" before processing.

    References

    This is related to GHSA-cfmv-h8fx-85m7.

    Impacted products
    Name purl
    xml2rfc pkg:pypi/xml2rfc

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "xml2rfc",
            "purl": "pkg:pypi/xml2rfc"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "3.30.2"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "2.10.0",
            "2.10.1",
            "2.10.2",
            "2.10.3",
            "2.11.0",
            "2.11.1",
            "2.12.0",
            "2.12.1",
            "2.12.2",
            "2.12.3",
            "2.13.0",
            "2.13.1",
            "2.14.0",
            "2.14.1",
            "2.15.0",
            "2.15.1",
            "2.15.2",
            "2.15.3",
            "2.15.4",
            "2.15.5",
            "2.16.0",
            "2.16.1",
            "2.16.2",
            "2.16.3",
            "2.17.0",
            "2.17.1",
            "2.17.2",
            "2.18.0",
            "2.19.0",
            "2.19.1",
            "2.2.5",
            "2.2.7",
            "2.20.0",
            "2.20.1",
            "2.21.0",
            "2.21.1",
            "2.22.0",
            "2.22.1",
            "2.22.2",
            "2.22.3",
            "2.23.0",
            "2.23.1",
            "2.24.0",
            "2.25.0",
            "2.26.0",
            "2.27.0",
            "2.27.1",
            "2.28.0",
            "2.29.0",
            "2.29.1",
            "2.3.0",
            "2.3.1",
            "2.3.10",
            "2.3.11",
            "2.3.11.1",
            "2.3.11.2",
            "2.3.11.3",
            "2.3.2",
            "2.3.3",
            "2.3.4",
            "2.3.5",
            "2.3.6",
            "2.3.7",
            "2.3.8",
            "2.3.9",
            "2.30.0",
            "2.31.0",
            "2.32.0",
            "2.33.0",
            "2.34.0",
            "2.35.0",
            "2.36.0",
            "2.37.0",
            "2.37.1",
            "2.37.2",
            "2.37.3",
            "2.38.0",
            "2.38.1",
            "2.39.0",
            "2.4.0",
            "2.4.1",
            "2.4.10",
            "2.4.10.dev0",
            "2.4.11",
            "2.4.12",
            "2.4.2",
            "2.4.3",
            "2.4.4",
            "2.4.5",
            "2.4.6",
            "2.4.7",
            "2.4.8",
            "2.4.9",
            "2.40.0",
            "2.40.1",
            "2.41.0",
            "2.42.0",
            "2.43.0",
            "2.44.0",
            "2.45.0",
            "2.45.1",
            "2.45.2",
            "2.45.3",
            "2.46.0",
            "2.47.0",
            "2.5.0",
            "2.5.1",
            "2.5.2",
            "2.5.3.dev0",
            "2.6.0",
            "2.6.1",
            "2.6.2",
            "2.7.0",
            "2.8.0",
            "2.8.1",
            "2.8.2",
            "2.8.3",
            "2.8.4",
            "2.8.5",
            "2.9.0",
            "2.9.1",
            "2.9.2",
            "2.9.3",
            "2.9.4",
            "2.9.5",
            "2.9.6",
            "2.9.7",
            "2.9.8",
            "2.9.9",
            "3.0.0",
            "3.1.0",
            "3.1.1",
            "3.10.0",
            "3.11.0",
            "3.11.1",
            "3.12.0",
            "3.12.1",
            "3.12.10",
            "3.12.2",
            "3.12.3",
            "3.12.4",
            "3.12.5",
            "3.12.6",
            "3.12.7",
            "3.12.8",
            "3.12.9",
            "3.13.0",
            "3.13.1",
            "3.14.0",
            "3.14.1",
            "3.14.2",
            "3.15.0",
            "3.15.1",
            "3.15.2",
            "3.15.3",
            "3.16.0",
            "3.17.0",
            "3.17.1",
            "3.17.2",
            "3.17.3",
            "3.17.4",
            "3.17.5",
            "3.18.0",
            "3.18.1",
            "3.18.2",
            "3.19.0",
            "3.19.1",
            "3.19.2",
            "3.19.3",
            "3.19.4",
            "3.2.0",
            "3.2.1",
            "3.20.0",
            "3.20.1",
            "3.21.0",
            "3.22.0",
            "3.23.0",
            "3.23.1",
            "3.23.2",
            "3.24.0",
            "3.25.0",
            "3.26.0",
            "3.27.0",
            "3.28.0",
            "3.28.1",
            "3.29.0",
            "3.3.0",
            "3.30.0",
            "3.30.1",
            "3.4.0",
            "3.5.0",
            "3.6.0",
            "3.7.0",
            "3.8.0",
            "3.9.0",
            "3.9.1"
          ]
        }
      ],
      "aliases": [
        "CVE-2025-11059",
        "GHSA-9mv7-3c64-mmqw"
      ],
      "details": "### Impact\n\nWhen generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.\n\n### Workarounds\n\nTest untrusted input with `link` elements with `rel=\"attachment\"` before processing.\n\n### References\nThis is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).",
      "id": "PYSEC-2026-2057",
      "modified": "2026-07-07T17:25:52.232806Z",
      "published": "2026-07-07T16:03:04.649471Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw"
        },
        {
          "type": "WEB",
          "url": "https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/ietf-tools/xml2rfc"
        },
        {
          "type": "WEB",
          "url": "https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2"
        },
        {
          "type": "PACKAGE",
          "url": "https://pypi.org/project/xml2rfc"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/advisories/GHSA-9mv7-3c64-mmqw"
        },
        {
          "type": "ADVISORY",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11059"
        }
      ],
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
          "type": "CVSS_V4"
        }
      ],
      "summary": "xml2rfc is vulnerable to arbitrary file reads through prepped files"
    }