High severity7.6NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026
CVE-2026-40882
CVE-2026-40882
Description
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.openremote:openremote-managerMaven | < 1.22.0 | 1.22.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwcnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-g24f-mgc3-jwwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40882ghsaADVISORY
News mentions
0No linked articles in our index yet.