Home / Vulnerability Intelligence / CVE-2026-40882

CVE-2026-40882 - Vulnerability Analysis

HighCVSS: 7.6

Last Updated: April 24, 2026

OpenRemote - XML External Entity Injection

Published: April 22, 2026Updated: April 24, 2026PoC AvailableRemote Exploitable

Overview

OpenRemote < 1.22.0 contains an XML external entity injection caused by lack of explicit XXE hardening in Velbus asset import path, letting authenticated users trigger file disclosure and SSRF, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 7.6

EPSS Score: 5.6%(Probability of exploitation in next 30 days)

Impact

Authenticated users can disclose server files and perform SSRF, potentially leading to sensitive data exposure and internal network access.

Mitigation

Update to version 1.22.0 or later.

References

https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 22, 2026

🟠 CVE-2026-40882 - High (7.6) OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML e... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40882/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-40882
Severity: High
CVSS Score: 7.6
Type: xml_external_entity_injection
Status: confirmed
EPSS: 5.6%
Social Posts: 1

CWE

CWE-611

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

EPSS Score

5.6%Probability of exploitation in the next 30 days