Medium severityNVD Advisory· Published Sep 1, 2025· Updated Apr 20, 2026
CVE-2025-9375
CVE-2025-9375
Description
XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1.
NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8(expand)+ 1 more
- (no CPE)
- (no CPE)range: <0.15.1, >=0.14.2
- osv-coords6 versionspkg:rpm/opensuse/python-xmltodict&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-xmltodict&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-xmltodict&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-xmltodict&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/python-xmltodict&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/python-xmltodict&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7
< 0.13.0-150600.3.5.1+ 5 more
- (no CPE)range: < 0.13.0-150600.3.5.1
- (no CPE)range: < 0.15.1-1.1
- (no CPE)range: < 0.13.0-150400.12.7.1
- (no CPE)range: < 0.13.0-150400.12.7.1
- (no CPE)range: < 0.13.0-150600.3.5.1
- (no CPE)range: < 0.13.0-150600.3.5.1
Patches
Vulnerability mechanics
References
6- docs.python.org/3/library/xml.sax.utils.htmlnvd
- docs.python.org/3/library/xml.sax.utils.htmlnvd
- fluidattacks.com/advisories/mononvd
- github.com/martinblech/xmltodict/blob/v0.15.1/CHANGELOG.mdnvd
- github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33nvd
- github.com/martinblech/xmltodict/issues/377nvd
News mentions
0No linked articles in our index yet.