CVE-2025-9375

Description

XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.

Weakness Type (CWE)

CWE-91 CWE-91

References

Other References

https://fluidattacks.com/advisories/mono https://github.com/martinblech/xmltodict https://github.com/martinblech/xmltodict/blob/v0.15.1/CHANGELOG.md https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33 https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.XMLGenerator https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape https://github.com/martinblech/xmltodict/issues/377#issuecomment-3255691923

Frequently Asked Questions

What is CVE-2025-9375? +

XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.

How do I check if I'm vulnerable to CVE-2025-9375? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-41674

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to …

CVE-2026-41672

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to …

CVE-2026-41675

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to …

CVE-2024-51136 9.8

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary …

CVE-2025-24404 8.8

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated …

CVE-2026-40165 8.7

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass …

Description

Weakness Type (CWE)

References

Other References

Frequently Asked Questions

Related Vulnerabilities

Don't wait for an exploit