Home

Description

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

PUBLISHED Reserved 2024-04-05 | Published 2025-10-17 | Updated 2025-10-17 | Assigner mitre




MEDIUM: 4.0CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-669 Incorrect Resource Transfer Between Spheres

Product status

Default status
unknown

2.0.0 (semver) before 2.10.0
affected

References

github.com/xmlunit/xmlunit/issues/264 exploit

github.com/advisories/GHSA-chfm-68vv-pvw5

github.com/xmlunit/xmlunit/issues/264

github.com/...ommit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b

cve.org (CVE-2024-31573)

nvd.nist.gov (CVE-2024-31573)

Download JSON