CVE-2026-24515
2.9 LOWIn libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data
Published: 2026-01-23 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 2.9 LOW
- Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-476
Affected products
| Vendor | Product |
|---|---|
| libexpat_project | libexpat |
Description
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-50219 — libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_Pa... (4.9 MEDIUM)
- CVE-2026-25210 — In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow... (6.9 MEDIUM)
- CVE-2025-66382 — In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time (2.9 LOW)
Same CWE
- CVE-2026-53463 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.3 MEDIUM)
- CVE-2026-24716 — A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions
- CVE-2026-22899 — A NULL pointer dereference vulnerability has been reported to affect File Station 6
- CVE-2025-66281 — A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions
- CVE-2025-62850 — A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions