CVE-2026-34401
Received Received - Intake
XML Notepad XXE Vulnerability Enables Credential and Data Exposure

Publication date: 2026-03-31

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34401
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microsoft xml_notepad to 2.9.0.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in XML Notepad versions prior to 2.9.0.21, where the program does not disable DTD processing by default. This means that external entities in XML files are automatically resolved. An attacker can craft a malicious XML file containing a DTD that causes XML Notepad to make outbound HTTP or SMB requests. These requests can lead to leaking local file contents or capturing the victim's NTLM credentials.

Impact Analysis

The vulnerability can impact you by allowing an attacker to leak sensitive local files or capture your NTLM credentials through crafted malicious XML files. This can lead to unauthorized access to your system or data breaches.

Detection Guidance

This vulnerability can be detected by monitoring for outbound HTTP or SMB requests initiated by XML Notepad when processing XML files with external DTDs. Since the issue involves automatic resolution of external entities, unusual outbound network traffic from XML Notepad could indicate exploitation attempts.

You can use network monitoring tools or commands to detect such activity. For example, on Windows systems, you might use:

  • PowerShell command to monitor network connections: Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process -Name 'XMLNotepad').Id }
  • Use network capture tools like Wireshark or tcpdump to filter outbound HTTP or SMB traffic originating from the XML Notepad process.
  • Check XML files for presence of external DTD declarations that could trigger the vulnerability.
Mitigation Strategies

The immediate mitigation step is to upgrade XML Notepad to version 2.9.0.21 or later, where the vulnerability has been patched by disabling DTD processing by default.

Until the upgrade can be applied, avoid opening untrusted XML files that may contain malicious external DTDs, and consider restricting outbound HTTP and SMB traffic from the XML Notepad application to prevent data leakage or credential capture.

Compliance Impact

This vulnerability in XML Notepad allows external entity resolution by default, which can lead to the leakage of local file contents or capture of NTLM credentials through malicious XML files. Such unauthorized data exposure could potentially violate data protection requirements in standards like GDPR or HIPAA, which mandate safeguarding sensitive personal or health information from unauthorized access or disclosure.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart