CVE-2024-40896

moderate-risk

Published 2024-12-23

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

Do I need to act?

0.55% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (9)

Libxml2

Hci Compute Node

Solidfire \& Hci Management Node

Solidfire \& Hci Storage Node

H300S Firmware

H410S Firmware

H500S Firmware

H700S Firmware

H410C Firmware

Affected Vendors

Xmlsoft Netapp

References (3)

Issue Tracking https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c...

Issue Tracking https://gitlab.gnome.org/GNOME/libxml2/-/issues/761

Third Party Advisory https://security.netapp.com/advisory/ntap-20250228-0004/

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 2/34 · Minimal

Exposure 15/34 · Moderate