CVE-2026-3511
SSRF Vulnerability in Slovensko.Digital Autogram XMLUtils.java
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: National Cyber Security Centre SK-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slovensko.digital | autogram | 2.7.2 |
| slovensko.digital | autogram | 2.7.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3511 is an Improper Restriction of XML External Entity Reference vulnerability found in the XMLUtils.java component of the Slovensko.Digital Autogram application. This vulnerability allows a remote unauthenticated attacker to perform Server Side Request Forgery (SSRF) attacks and gain unauthorized access to local files on the filesystem where the vulnerable application is running.
Exploitation requires the victim to visit a specially crafted website that sends a request containing a malicious XML document to the /sign endpoint of the local HTTP server run by the application. The vulnerability arises because the XML processing does not fully disable external entity references, allowing attackers to read local files by exploiting XML External Entity (XXE) features.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to remotely execute SSRF attacks and access sensitive local files without authentication. This unauthorized access could lead to exposure of confidential information stored on the local filesystem.
Since the attack requires the victim to visit a malicious website, it leverages social engineering to trigger the exploit. Successful exploitation compromises confidentiality but does not affect integrity or availability according to the CVSS score.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves an XML External Entity (XXE) attack vector in the XMLUtils.java component of the Autogram application, which can be exploited when a specially crafted XML document is sent to the /sign endpoint of the local HTTP server.
Detection would involve monitoring for unusual or unexpected XML payloads targeting the /sign endpoint on the local HTTP server of the Autogram application.
Since the application runs a local HTTP server, network detection might be limited to local traffic analysis or host-based monitoring.
Specific commands are not provided in the available resources or context.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Autogram application to version 2.7.2 or later, which includes a security patch that hardens XML utilities to prevent this XXE vulnerability.
This update was released promptly after the vulnerability was responsibly disclosed and addresses the incomplete mitigation of external entities in XML processing.
Users are strongly advised to apply this update to ensure protection against the identified security issue.