Home

Description

Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-19 | Updated 2026-03-19 | Assigner SK-CERT




HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status
unaffected

Any version before 2.7.2
affected

Timeline

2026-03-02:Vulnerability discovered
2026-03-02:Vulnerability reported to developer
2026-03-02:Developer patched the vulnerability

Credits

Martin Orem from Binary House finder

References

github.com/slovensko-digital/autogram/releases/tag/v2.7.2

blog.binary.house/...adova-studia-ako-sme-s-claude-code.html

cve.org (CVE-2026-3511)

nvd.nist.gov (CVE-2026-3511)

Download JSON