CVE-2026-42212
Received Received - Intake
XML External Entity Processing in SolidCAM Postprocessor IDE

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42212
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
solidcam postprocessor_ide From 1.0.0 (inc) to 1.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability exists in the SolidCAM Postprocessor IDE extension versions from 1.0.0 to before 1.0.2. When a .gpp file is opened, the language server automatically parses a companion .vmid file in the same directory. The parser uses XDocument.Load(path) without any XmlReaderSettings, which in .NET 8 allows processing of Document Type Definitions (DTDs). This enables a malicious .vmid file to exploit external entity references.

  • Disclosure of local files via external entity references.
  • Memory exhaustion through recursive entity expansion.
  • Denial of service caused by oversized or deeply nested XML.

This vulnerability was fixed in version 1.0.2 of the extension.

Impact Analysis

This vulnerability can have several impacts on users of the affected SolidCAM Postprocessor IDE extension:

  • An attacker could disclose sensitive local files by exploiting external entity references in a malicious .vmid file.
  • It could lead to memory exhaustion on the system, potentially causing the application or system to become unstable or crash.
  • Denial of service conditions could be triggered by processing oversized or deeply nested XML files, disrupting normal operations.
Mitigation Strategies

The vulnerability has been patched in SolidCAM Postprocessor IDE version 1.0.2. Immediate mitigation involves upgrading the SolidCAM Postprocessor IDE extension to version 1.0.2 or later.

Until the upgrade can be applied, avoid opening .gpp files in versions prior to 1.0.2, as opening these files causes the language server to parse companion .vmid files which may be malicious.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart