CVE-2025-9375

EUVD-2025-26350
XML Injection vulnerability in xmltodict allows Input Data Manipulation.
This issue affects xmltodict: from 0.14.2 before 0.15.1.

NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.
aka Blind XPath Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Debian logo
Debian Releases
Debian Product
Codename
python-xmltodict
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Common Weakness Enumeration
References
https://fluidattacks.com/advisories/mono
https://github.com/martinblech/xmltodict
https://github.com/martinblech/xmltodict/blob/v0.15.1/CHANGELOG.md
https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33
https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.XMLGenerator
https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape
https://github.com/martinblech/xmltodict/issues/377#issuecomment-3255691923