CVE-2025-9375

Sažetak

XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.

Reference

https://fluidattacks.com/advisories/mono
https://github.com/martinblech/xmltodict
https://github.com/martinblech/xmltodict/blob/v0.15.1/CHANGELOG.md
https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33
https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.XMLGenerator
https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
https://github.com/martinblech/xmltodict/issues/377#issuecomment-3255691923

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

20-04-2026 - 22:16

Objavljeno

01-09-2025 - 17:15