CVE-2026-3511
Received Received - Intake
SSRF Vulnerability in Slovensko.Digital Autogram XMLUtils.java

Publication date: 2026-03-19

Last updated on: 2026-03-19

Assigner: National Cyber Security Centre SK-CERT

Description
Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3511
EUVD
EUVD-2026-13095
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
slovensko.digital autogram 2.7.2
slovensko.digital autogram 2.7.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3511 is an Improper Restriction of XML External Entity Reference vulnerability found in the XMLUtils.java component of the Slovensko.Digital Autogram application. This vulnerability allows a remote unauthenticated attacker to perform Server Side Request Forgery (SSRF) attacks and gain unauthorized access to local files on the filesystem where the vulnerable application is running.

Exploitation requires the victim to visit a specially crafted website that sends a request containing a malicious XML document to the /sign endpoint of the local HTTP server run by the application. The vulnerability arises because the XML processing does not fully disable external entity references, allowing attackers to read local files by exploiting XML External Entity (XXE) features.

Impact Analysis

This vulnerability can impact you by allowing attackers to remotely execute SSRF attacks and access sensitive local files without authentication. This unauthorized access could lead to exposure of confidential information stored on the local filesystem.

Since the attack requires the victim to visit a malicious website, it leverages social engineering to trigger the exploit. Successful exploitation compromises confidentiality but does not affect integrity or availability according to the CVSS score.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves an XML External Entity (XXE) attack vector in the XMLUtils.java component of the Autogram application, which can be exploited when a specially crafted XML document is sent to the /sign endpoint of the local HTTP server.

Detection would involve monitoring for unusual or unexpected XML payloads targeting the /sign endpoint on the local HTTP server of the Autogram application.

Since the application runs a local HTTP server, network detection might be limited to local traffic analysis or host-based monitoring.

Specific commands are not provided in the available resources or context.

Mitigation Strategies

The primary mitigation step is to upgrade the Autogram application to version 2.7.2 or later, which includes a security patch that hardens XML utilities to prevent this XXE vulnerability.

This update was released promptly after the vulnerability was responsibly disclosed and addresses the incomplete mitigation of external entities in XML processing.

Users are strongly advised to apply this update to ensure protection against the identified security issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart