CVE-2026-24515

Low CVSS: 2.9

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Vendor

Product

CWE

Yayın Tarihi

2026-01-23 08:16:01

Güncelleme

2026-02-05 17:27:53

Source Identifier

cve@mitre.org

KEV Date Added

CWE-476 Libexpat LOW Libexpat Project 2026

https://github.com/libexpat/libexpat/pull/1131

Medium

CVE-2026-32776

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Medium

CVE-2026-32777

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

Low

CVE-2026-32778

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memo…

Medium

CVE-2026-25210

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no…

Low

CVE-2025-66382

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing…

High

CVE-2025-59375

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is…