Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup.
This issue affects jOpenDocument: 1.5.
AnalysisAI
XML external entity (XXE) injection in jOpenDocument 1.5 allows authenticated remote attackers to trigger denial of service through XML bomb attacks (billion laughs) by submitting specially crafted documents. The vulnerability affects document parsing functionality and requires valid user authentication, limiting but not eliminating real-world risk in multi-tenant or collaborative document processing environments. EPSS and KEV status not provided, but SSVC framework indicates automatable exploitation with partial technical impact.
Technical ContextAI
jOpenDocument is a Java library for parsing and manipulating OpenDocument Format (ODF) files, which are XML-based document standards. The vulnerability stems from improper handling of XML external entity (XXE) declarations during document deserialization. CWE-611 describes improper XML entity processing, where an XML parser allows external entity resolution without adequate restriction. This enables two attack classes: XXE injection (reading arbitrary files, SSRF) and XML entity expansion attacks (DoS via billion laughs or quadratic blowup patterns). The CPE indicates all versions of jOpenDocument are potentially affected, though the description specifies version 1.5 as the confirmed vulnerable release.
RemediationAI
Upgrade jOpenDocument to a patched version released by ILM Informatique after the 1.5 release. Exact patched version number not confirmed in provided data; contact vendor or consult the official jOpenDocument documentation at https://www.jopendocument.org/documentation.html for patch availability. As an immediate compensating control, disable XML external entity processing in the parser configuration if the library exposes such settings, or implement input validation to reject documents containing DOCTYPE declarations or external entity references. If document upload is enabled, restrict file uploads to authenticated users with appropriate access controls and implement per-user rate limiting on parsing operations to mitigate billion laughs DoS impact. These controls introduce minimal functional overhead but may reject legitimate ODF files with external entity references (rare in standard use).
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26973