SCA: security update for com.powsybl:powsybl-commons (GHSA-qpj9-qcwx-8jv2)

medium Tenable Self-Hosted Container Security Plugin ID 437206

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version
6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack
and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to
read files that they do not have permissions to, including sensitive files on the system. The vulnerable
class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where
untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application
that hosts many different users perhaps with different privilege levels. This issue has been patched in
com.powsybl:powsybl-commons: 6.7.2. (CVE-2025-47293)

See Also

https://github.com/advisories/GHSA-qpj9-qcwx-8jv2

Plugin Details

Severity: Medium

ID: 437206

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/28/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.49

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-47293

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/19/2025

Vulnerability Publication Date: 6/19/2025

Reference Information

CVE: CVE-2025-47293