Medium severity6.5NVD Advisory· Published Mar 31, 2026· Updated Apr 13, 2026

CVE-2026-34401

Description

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

Affected products

Microsoft/XML Notepad
cpe:2.3:a:microsoft:xml_notepad:*:*:*:*:*:windows:*:*
Range: <2.9.0.21

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140cnvdPatch
github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53nvdPatch
github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42chnvdMitigationVendor Advisory
github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21nvdProductRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000