CVE-2024-39847

7.5 HIGH

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server

Published: 2026-04-30 · Last updated: 2026-05-17

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-611

Affected products

Vendor	Product
4d	server

Description

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2024-39847
[Other]https://4d.com
[Exploit reference]https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/
[Other]http://seclists.org/fulldisclosure/2026/May/0

Related CVEs

Same CWE

CVE-2026-49875 — Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening c... (9.8 CRITICAL)
CVE-2026-40998 — Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled X... (8.2 HIGH)
CVE-2026-40991 — When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who comp... (5.9 MEDIUM)
CVE-2026-47960 — ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerab... (7.4 HIGH)
CVE-2026-8045 — CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side...