CVE-2026-24343
XPath Injection in Apache HertzBeat 1.7.1β1.8.0 Allows Data Manipulation
Publication date: 2026-02-10
Last updated on: 2026-02-11
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | hertzbeat | From 1.7.1 (inc) to 1.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-643 | The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-24343 is an XPath Injection vulnerability in Apache HertzBeat versions from 1.7.1 before 1.8.0. It occurs due to improper neutralization of data within XPath expressions, which means that user-supplied data is not properly sanitized before being used in XPath queries.'}, {'type': 'paragraph', 'content': "This flaw allows attackers to send maliciously crafted XPath queries that can manipulate the system's processing of these expressions."}] [1]
How can this vulnerability impact me? :
The vulnerability can lead to uncontrolled resource consumption when processing crafted XPath expressions. This means an attacker could exploit the system by sending malicious XPath queries that may degrade performance or cause denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Apache HertzBeat to version 1.8.0, which contains the fix for the XPath Injection issue.