CWE-827: Improper Control of Document Type Definition
low-riskThe product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.
Abstraction: Variant
Common Consequences
Confidentiality
→
Read Files or Directories
Availability
→
DoS: Resource Consumption (CPU)
Integrity
→
Execute Unauthorized Code or Commands
Real-World Examples (1)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2025-4949 | 5.3 | 0.2% | — |
0
/ 100
low-risk
Active Threat
0/50 · Minimal
Exploit Availability
0/50 · Minimal