A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.
NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x
"}],"value":"A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.\n\n\n\n\n\n\n\n\nNOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x"}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T18:37:08.787Z","orgId":"eb103674-0d28-4225-80f8-39fb86215de0","shortName":"hpe"},"references":[{"url":"https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US"}],"source":{"advisory":"HPESBNW05049","discovery":"INTERNAL"},"title":"Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"eb103674-0d28-4225-80f8-39fb86215de0","assignerShortName":"hpe","cveId":"CVE-2026-23822","datePublished":"2026-05-12T18:37:08.787Z","dateReserved":"2026-01-16T15:22:49.224Z","dateUpdated":"2026-05-12T19:25:55.101Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-12 19:16:28","lastModifiedDate":"2026-05-12 20:16:31","problem_types":["CWE-776","CWE-776 CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"],"metrics":{"cvssMetricV31":[{"source":"security-alert@hpe.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23822","Ordinal":"1","Title":"Unauthenticated XML External Entity Injection in AOS-8 Instant a","CVE":"CVE-2026-23822","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23822","Ordinal":"1","NoteData":"A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.\n\n\n\n\n\n\n\n\nNOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x","Type":"Description","Title":"Unauthenticated XML External Entity Injection in AOS-8 Instant a"}]}}}