{"api_version":"1","generated_at":"2026-05-11T18:48:15+00:00","cve":"CVE-2016-9487","urls":{"html":"https://cve.report/CVE-2016-9487","api":"https://cve.report/api/cve/CVE-2016-9487.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-9487","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-9487"},"summary":{"title":"CVE-2016-9487","description":"EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.","state":"PUBLIC","assigner":"cert@cert.org","published_at":"2018-07-13 20:29:00","updated_at":"2019-10-09 23:20:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://www.kb.cert.org/vuls/id/779243","name":"VU#779243","refsource":"CERT-VN","tags":["Third Party Advisory","US Government Resource"],"title":"Vulnerability Note VU#779243 - EpubCheck 4.0.1 contains a XML external entity processing vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.securityfocus.com/bid/94864/","name":"94864","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"EpubCheck CVE-2016-9487 XML External Entity Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.securityfocus.com/bid/94864","name":"BID:94864","refsource":"MITRE","tags":[],"title":"EpubCheck CVE-2016-9487 XML External Entity Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-9487","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9487","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Thanks to Craig Arendt for reporting this vulnerability.","lang":""}],"nvd_cpes":[{"cve_year":"2016","cve_id":"9487","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"w3","cpe5":"epubcheck","cpe6":"4.0.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9487","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"w3","cpe5":"epubcheck","cpe6":"4.0.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cert@cert.org","ID":"CVE-2016-9487","STATE":"PUBLIC","TITLE":"EpubCheck 4.0.1 is vulnerable to external XML entity processing attacks"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"EpubCheck","version":{"version_data":[{"affected":"=","version_name":"4.0.1","version_value":"4.0.1"}]}}]},"vendor_name":"EpubCheck"}]}},"credit":[{"lang":"eng","value":"Thanks to Craig Arendt for reporting this vulnerability."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-611"}]}]},"references":{"reference_data":[{"name":"VU#779243","refsource":"CERT-VN","url":"https://www.kb.cert.org/vuls/id/779243"},{"name":"94864","refsource":"BID","url":"https://www.securityfocus.com/bid/94864/"}]},"solution":[{"lang":"eng","value":"EpubCheck has released version 4.0.2 to address the vulnerability."}],"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2018-07-13 20:29:00","lastModifiedDate":"2019-10-09 23:20:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:w3:epubcheck:4.0.1:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"9487","Ordinal":"96172","Title":"CVE-2016-9487","CVE":"CVE-2016-9487","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"9487","Ordinal":"1","NoteData":"EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"9487","Ordinal":"2","NoteData":"2018-07-13","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"9487","Ordinal":"3","NoteData":"2018-07-13","Type":"Other","Title":"Modified"}]}}}