Skip to main content

Build Of Apicurio Registry

1 CVEs product

Monthly

CVE-2026-12993 MEDIUM This Month

CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. No active exploitation (CISA KEV) or confirmed public exploit code has been identified at time of analysis; EPSS data was not provided in the input.

Information Disclosure Build Of Apicurio Registry
NVD
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. No active exploitation (CISA KEV) or confirmed public exploit code has been identified at time of analysis; EPSS data was not provided in the input.

Information Disclosure Build Of Apicurio Registry
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy