VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 4, 2023· Updated Oct 10, 2024

HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL

CVE-2023-49093

Description

HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HtmlUnit is vulnerable to Remote Code Execution via XSLT when browsing an attacker's webpage, patched in version 3.9.0.

HtmlUnit, a GUI-less browser for Java programs, is vulnerable to Remote Code Execution (RCE) via XSLT. The root cause is that the XSLT processor does not enable FEATURE_SECURE_PROCESSING, allowing arbitrary code execution [2][4].

Exploitation occurs when a user running HtmlUnit visits an attacker-controlled webpage. The page contains malicious JavaScript that uses ActiveXObject to load an XSLT stylesheet with Xalan Java extensions, which can execute arbitrary system commands [4].

An attacker can achieve full remote code execution in the context of the Java application using HtmlUnit, potentially leading to complete system compromise [2].

The vulnerability is patched in HtmlUnit version 3.9.0. Users are strongly advised to upgrade to this version or later [1][2][4].

References
  1. HtmlUnit – Changes
  2. NVD - CVE-2023-49093
  3. HtmlUnit 3.8.0 are vulnerable to Remote Code Execution (RCE) via XSLT

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.htmlunit:htmlunitMaven
< 3.9.03.9.0

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.