Medium severity5.5NVD Advisory· Published Nov 16, 2016· Updated May 6, 2026

CVE-2016-9318

Description

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Affected products

Xmlsoft/Libxml2
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
Range: <=2.9.4
Canonical/Ubuntu Linux4 versions
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugzilla.gnome.org/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryVDB Entry
github.com/lsh123/xmlsec/issues/43nvdExploitPatchThird Party Advisory
www.securityfocus.com/bid/94347nvdThird Party AdvisoryVDB Entry
security.gentoo.org/glsa/201711-01nvdThird Party Advisory
usn.ubuntu.com/3739-1/nvdThird Party Advisory
usn.ubuntu.com/3739-2/nvdThird Party Advisory
lists.debian.org/debian-lts-announce/2022/04/msg00004.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000