CVE-2026-23822

EUVD-2026-29738

12.05.2026, 19:16

A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.








NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x

XML Entity Expansion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US