Skip to main content

Microsoft CVE-2026-34401

| EUVDEUVD-2026-17666 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-03-31 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.9.0.21
EUVD ID Assigned
Mar 31, 2026 - 21:31 euvd
EUVD-2026-17666
Analysis Generated
Mar 31, 2026 - 21:31 vuln.today
CVE Published
Mar 31, 2026 - 21:05 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

AnalysisAI

XML Notepad versions prior to 2.9.0.21 allow remote attackers to leak local file contents or capture NTLM credentials via crafted XML files with malicious DTDs, exploiting disabled-by-default DTD processing that automatically resolves external entities. The vulnerability requires user interaction (opening a malicious XML file) but poses significant confidentiality risk on Windows systems where NTLM credential interception is feasible. Microsoft released patched version 2.9.0.21 to address this XXE (XML External Entity) issue.

Technical ContextAI

XML Notepad's XML parser does not disable Document Type Definition (DTD) processing by default, implementing the root cause class CWE-611 (Improper Restriction of XML External Entity Reference). When a user opens an XML document, the parser automatically resolves external entity declarations within the DTD without validation. An attacker can craft a DTD that references external resources via http:// or smb:// protocols, causing the application to make outbound requests that either leak file contents (via out-of-band channels or error responses) or attempt SMB connections to attacker-controlled servers, capturing the authenticated user's NTLM credentials in the process. This is a well-documented XXE attack pattern applicable to any XML parser with DTD processing enabled.

RemediationAI

Vendor-released patch: Microsoft XML Notepad version 2.9.0.21 and later. Users should upgrade immediately from https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21. The underlying fix involves disabling DTD processing by default in the XML parser configuration, preventing automatic resolution of external entities. Until patching is complete, users should avoid opening untrusted XML files from unknown or unverified sources, and consider restricting XML file handling to trusted internal documents only. Network-level controls (blocking outbound SMB and HTTP from the XML Notepad process, or isolating systems handling XML files) may provide temporary defense-in-depth mitigation.

Share

CVE-2026-34401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy