Skip to main content

jOpenDocument EUVDEUVD-2026-26973

| CVE-2026-6501 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-04 TCS-CERT
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 17:15 vuln.today
CVSS changed
May 04, 2026 - 15:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 15:00 euvd
EUVD-2026-26973
Analysis Generated
May 04, 2026 - 15:00 vuln.today
CVE Published
May 04, 2026 - 14:26 nvd
MEDIUM 5.3

DescriptionCVE.org

Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup.

This issue affects jOpenDocument: 1.5.

AnalysisAI

XML external entity (XXE) injection in jOpenDocument 1.5 allows authenticated remote attackers to trigger denial of service through XML bomb attacks (billion laughs) by submitting specially crafted documents. The vulnerability affects document parsing functionality and requires valid user authentication, limiting but not eliminating real-world risk in multi-tenant or collaborative document processing environments. EPSS and KEV status not provided, but SSVC framework indicates automatable exploitation with partial technical impact.

Technical ContextAI

jOpenDocument is a Java library for parsing and manipulating OpenDocument Format (ODF) files, which are XML-based document standards. The vulnerability stems from improper handling of XML external entity (XXE) declarations during document deserialization. CWE-611 describes improper XML entity processing, where an XML parser allows external entity resolution without adequate restriction. This enables two attack classes: XXE injection (reading arbitrary files, SSRF) and XML entity expansion attacks (DoS via billion laughs or quadratic blowup patterns). The CPE indicates all versions of jOpenDocument are potentially affected, though the description specifies version 1.5 as the confirmed vulnerable release.

RemediationAI

Upgrade jOpenDocument to a patched version released by ILM Informatique after the 1.5 release. Exact patched version number not confirmed in provided data; contact vendor or consult the official jOpenDocument documentation at https://www.jopendocument.org/documentation.html for patch availability. As an immediate compensating control, disable XML external entity processing in the parser configuration if the library exposes such settings, or implement input validation to reject documents containing DOCTYPE declarations or external entity references. If document upload is enabled, restrict file uploads to authenticated users with appropriate access controls and implement per-user rate limiting on parsing operations to mitigate billion laughs DoS impact. These controls introduce minimal functional overhead but may reject legitimate ODF files with external entity references (rare in standard use).

Share

EUVD-2026-26973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy