CVE-2026-34401

| EUVD-2026-17666 MEDIUM
2026-03-31 GitHub_M
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 31, 2026 - 21:31 vuln.today
EUVD ID Assigned
Mar 31, 2026 - 21:31 euvd
EUVD-2026-17666
CVE Published
Mar 31, 2026 - 21:05 nvd
MEDIUM 6.5

Tags

Microsoft XXE

Description

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

Analysis

XML Notepad versions prior to 2.9.0.21 allow remote attackers to leak local file contents or capture NTLM credentials via crafted XML files with malicious DTDs, exploiting disabled-by-default DTD processing that automatically resolves external entities. The vulnerability requires user interaction (opening a malicious XML file) but poses significant confidentiality risk on Windows systems where NTLM credential interception is feasible. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +32
POC: 0

Share

CVE-2026-34401 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy