CVE-2026-34401
XML Notepad XXE Vulnerability Enables Credential and Data Exposure
Publication date: 2026-03-31
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | xml_notepad | to 2.9.0.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in XML Notepad versions prior to 2.9.0.21, where the program does not disable DTD processing by default. This means that external entities in XML files are automatically resolved. An attacker can craft a malicious XML file containing a DTD that causes XML Notepad to make outbound HTTP or SMB requests. These requests can lead to leaking local file contents or capturing the victim's NTLM credentials.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for outbound HTTP or SMB requests initiated by XML Notepad when processing XML files with external DTDs. Since the issue involves automatic resolution of external entities, unusual outbound network traffic from XML Notepad could indicate exploitation attempts.
You can use network monitoring tools or commands to detect such activity. For example, on Windows systems, you might use:
- PowerShell command to monitor network connections: Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process -Name 'XMLNotepad').Id }
- Use network capture tools like Wireshark or tcpdump to filter outbound HTTP or SMB traffic originating from the XML Notepad process.
- Check XML files for presence of external DTD declarations that could trigger the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade XML Notepad to version 2.9.0.21 or later, where the vulnerability has been patched by disabling DTD processing by default.
Until the upgrade can be applied, avoid opening untrusted XML files that may contain malicious external DTDs, and consider restricting outbound HTTP and SMB traffic from the XML Notepad application to prevent data leakage or credential capture.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to leak sensitive local files or capture your NTLM credentials through crafted malicious XML files. This can lead to unauthorized access to your system or data breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in XML Notepad allows external entity resolution by default, which can lead to the leakage of local file contents or capture of NTLM credentials through malicious XML files. Such unauthorized data exposure could potentially violate data protection requirements in standards like GDPR or HIPAA, which mandate safeguarding sensitive personal or health information from unauthorized access or disclosure.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.