CVE-2026-6807
XML Injection in GRASSMARLIN 3.2.1 Exposes Sensitive Data
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grassmarlin | grassmarlin | 3.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in GRASSMARLIN v3.2.1 may lead to unintended exposure of sensitive information due to improper handling of XML input. Such exposure of sensitive data can potentially impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access or disclosure.
However, specific details on how this vulnerability affects compliance with these standards are not provided in the available information.
How can this vulnerability impact me? :
The vulnerability may result in the unintended exposure of sensitive information. This means that an attacker who exploits this flaw could gain access to confidential data that should otherwise be protected.
Can you explain this vulnerability to me?
This vulnerability exists in GRASSMARLIN version 3.2.1 and involves improper handling of XML input due to crafted session data. The root cause is insufficient hardening of the XML parsing process, which can lead to unintended exposure of sensitive information.