High severity8.8NVD Advisory· Published Nov 8, 2017· Updated May 13, 2026

CVE-2017-9096

Description

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.itextpdf:itextpdfMaven	< 5.5.12	5.5.12
com.itextpdf:itextpdfMaven	>= 7.0.0, < 7.0.3	7.0.3
com.lowagie:itextMaven	<= 4.2.2	—

Affected products

Itextpdf/Itext4 versions
cpe:2.3:a:itextpdf:itext:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:itextpdf:itext:*:*:*:*:*:*:*:*range: <5.5.12
- cpe:2.3:a:itextpdf:itext:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:itextpdf:itext:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:itextpdf:itext:7.0.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/archive/1/541483/100/0/threadednvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-86p9-x5pw-94qxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-9096ghsaADVISORY
support.hpe.com/hpsc/doc/public/displaynvdThird Party AdvisoryWEB
www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txtnvdThird Party AdvisoryWEB
www.oracle.com/security-alerts/cpuoct2020.htmlnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000