CVE-2026-40682 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: May 5, 2026
Apache OpenNLP - XML External Entity Injection
Published: May 4, 2026Updated: May 5, 2026Remote Exploitable
Overview
Apache OpenNLP < 2.5.9 and < 3.0.0-M3 contain an XML External Entity (XXE) injection caused by unsanitized dictionary file parsing in DictionaryEntryPersistor, letting attackers trigger local file disclosure or SSRF via crafted dictionary files, exploit requires attacker to supply malicious dictionary input.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can disclose local files or perform server-side request forgery via crafted dictionary files, potentially leading to sensitive data exposure or internal network access.
Mitigation
Upgrade to version 2.5.9 or 3.0.0-M3 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-40682
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- xml_external_entity_injection
- Status
- new
CWE
- CWE-611
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N