Detections
Analytics

CVE-2026-34401

medium

Description

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

References

https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch

https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21

https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53

https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c

Details

Source: Mitre, NVD

Published: 2026-03-31

Updated: 2026-04-01

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00224