CVE-2026-34401 in XmlNotepad
요약 (영어)
XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
책임이 있는
GitHub_M
예약하다
2026. 03. 27.
공개
2026. 04. 01.
상태
확인됨
엔트리
VulDB provides additional information and datapoints for this CVE:
| 아이디 | 취약성 | CWE | 악용 | 대책 | CVE |
|---|---|---|---|---|---|
| 354585 | Microsoft XmlNotepad HTTP/SMB XML External Entity | 611 | 정의되지 않음 | 공식 수정 | CVE-2026-34401 |