{"api_version":"1","generated_at":"2026-04-22T20:52:45+00:00","cve":"CVE-2021-23926","urls":{"html":"https://cve.report/CVE-2021-23926","api":"https://cve.report/api/cve/CVE-2021-23926.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23926","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23926"},"summary":{"title":"CVE-2021-23926","description":"The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2021-01-14 15:15:00","updated_at":"2023-11-07 03:31:00"},"problem_types":["CWE-776"],"metrics":[],"references":[{"url":"https://issues.apache.org/jira/browse/XMLBEANS-517","name":"https://issues.apache.org/jira/browse/XMLBEANS-517","refsource":"MISC","tags":["Issue Tracking","Vendor Advisory"],"title":"[XMLBEANS-517] Use safe XML parsers - ASF JIRA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E","name":"[axis-java-dev] 20210312 xmlbeans 2.6.0 and CVE-2021-23926","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1@%3Cjava-dev.axis.apache.org%3E","name":"[axis-java-dev] 20210312 Re: xmlbeans 2.6.0 and CVE-2021-23926","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","name":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3E","name":"[axis-java-dev] 20210312 xmlbeans 2.6.0 and CVE-2021-23926","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20210513-0004/","name":"https://security.netapp.com/advisory/ntap-20210513-0004/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-23926 Apache XMLBeans Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E","name":"[axis-java-dev] 20210312 Re: xmlbeans 2.6.0 and CVE-2021-23926","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html","name":"[debian-lts-announce] 20210628 [SECURITY] [DLA 2693-1] xmlbeans security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2693-1] xmlbeans security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://poi.apache.org/","name":"https://poi.apache.org/","refsource":"MISC","tags":["Product","Vendor Advisory"],"title":"Index of /","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23926","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23926","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"2.6.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"xmlbeans","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"oncommand_unified_manager_core_package","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"snapmanager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"oracle","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"snapmanager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"sap","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"snap_creator_framework","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"middleware_common_libraries_and_tools","cpe6":"12.2.1.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"middleware_common_libraries_and_tools","cpe6":"12.2.1.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.57","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.58","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23926","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.59","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23926","qid":"178686","title":"Debian Security Update for xmlbeans (DLA 2693-1)"},{"cve":"CVE-2021-23926","qid":"179604","title":"Debian Security Update for xmlbeans (CVE-2021-23926)"},{"cve":"CVE-2021-23926","qid":"375970","title":"Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUOCT2021)"},{"cve":"CVE-2021-23926","qid":"752763","title":"SUSE Enterprise Linux Security Update for xmlbeans (SUSE-SU-2022:3875-1)"},{"cve":"CVE-2021-23926","qid":"752765","title":"SUSE Enterprise Linux Security Update for xmlbeans (SUSE-SU-2022:3876-1)"},{"cve":"CVE-2021-23926","qid":"980332","title":"Java (maven) Security Update for org.apache.xmlbeans:xmlbeans (GHSA-mw3r-pfmg-xp92)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2021-23926","STATE":"PUBLIC","TITLE":"XMLBeans XML Entity Expansion"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache XMLBeans","version":{"version_data":[{"version_affected":"<=","version_name":"Apache XMLBeans","version_value":"2.6.0"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information Disclosure"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://poi.apache.org/","name":"https://poi.apache.org/"},{"refsource":"MISC","url":"https://issues.apache.org/jira/browse/XMLBEANS-517","name":"https://issues.apache.org/jira/browse/XMLBEANS-517"},{"refsource":"MLIST","name":"[axis-java-dev] 20210312 xmlbeans 2.6.0 and CVE-2021-23926","url":"https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3E"},{"refsource":"MLIST","name":"[axis-java-dev] 20210312 Re: xmlbeans 2.6.0 and CVE-2021-23926","url":"https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1@%3Cjava-dev.axis.apache.org%3E"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210628 [SECURITY] [DLA 2693-1] xmlbeans security update","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210513-0004/","url":"https://security.netapp.com/advisory/ntap-20210513-0004/"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"source":{"defect":["https://issues.apache.org/jira/browse/XMLBEANS-517"],"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-01-14 15:15:00","lastModifiedDate":"2023-11-07 03:31:00","problem_types":["CWE-776"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:xmlbeans:*:*:*:*:*:*:*:*","versionEndIncluding":"2.6.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23926","Ordinal":"198678","Title":"CVE-2021-23926","CVE":"CVE-2021-23926","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23926","Ordinal":"1","NoteData":"The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23926","Ordinal":"2","NoteData":"2021-01-14","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23926","Ordinal":"3","NoteData":"2021-10-20","Type":"Other","Title":"Modified"}]}}}