Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.
AnalysisAI
XML External Entity (XXE) injection in GRASSMARLIN v3.2.1 allows authenticated local users to extract sensitive information through crafted session data that exploits insufficient XML parser hardening. The vulnerability has a CVSS score of 5.5 with local attack vector and high confidentiality impact, affecting users with login credentials on systems running the affected version.
Technical ContextAI
GRASSMARLIN is an NSA-developed network visualization and analysis tool used in industrial control systems (ICS) environments. The vulnerability stems from CWE-611 (Improper Restriction of XML External Entity Reference), a well-known XML parsing flaw where the XML parser processes external entity declarations without proper validation or filtering. When the application parses crafted session data files (likely XML-formatted), an attacker can define malicious external entities that reference local system files, allowing unauthorized read access to sensitive data on the server filesystem. The flaw indicates the XML parser was instantiated without XXE protections such as disabling DOCTYPE declarations, external entity resolution, or schema validation.
RemediationAI
Upgrade GRASSMARLIN to a patched version released by NSA following CISA advisory ICSA-26-118-01; consult the advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01 for exact fixed version availability and timeline. If an immediate patch is unavailable, implement these compensating controls: (1) restrict GRASSMARLIN login access to a minimal set of trusted operator accounts via authentication system controls, reducing the number of potential attackers to those with valid credentials; (2) disable or restrict the application's ability to import external session files, if that feature can be disabled without breaking critical workflows; (3) monitor session file creation and XML parsing logs for suspicious DOCTYPE or SYSTEM declarations; (4) run GRASSMARLIN under an OS-level user account with minimal file system permissions, limiting data exposure to non-sensitive files only. Each control involves operational trade-offs - restricting imports may require manual session management, and minimal file permissions may break backup or reporting features.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26135