Vulnerability Description
XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Xml Notepad | < 2.9.0.21 |
Related Weaknesses (CWE)
References
- https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cbPatch
- https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f8Patch
- https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21ProductRelease Notes
- https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42chMitigationVendor Advisory
- https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42chMitigationVendor Advisory
FAQ
What is CVE-2026-34401?
CVE-2026-34401 is a vulnerability with a CVSS score of 6.5 (MEDIUM). XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by defau...
How severe is CVE-2026-34401?
CVE-2026-34401 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34401?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Xml Notepad.