Zero Day MonitorZDM

← Back to list

6.5

CVE-2026-34401

microsoft · xmlnotepad

XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading

Description

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

Affected Products

Vendor	Product	Versions
microsoft	xmlnotepad	< 2.9.0.21

References

https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch(x_refsource_CONFIRM)
https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c(x_refsource_MISC)
https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53(x_refsource_MISC)
https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-34401 | Microsoft XmlNotepad prior 2.9.0.21 HTTP/SMB xml external entity reference (GHSA-5j32-486h-42ch)

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-611

PublishedMar 31, 2026

Last enriched5h agov2

Tags

CVE-2026-34401

Trending Score23

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-32187EXP

Microsoft Edge (Chromium-based) Defense in Depth Vulnerability

HIGHCVE-2026-21510EXPKEV

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

MEDIUMCVE-2026-20805EXPKEV

Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.

HIGHCVE-2026-34054

openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)

HIGHCVE-2026-20929

Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Discovered by ZDM

Mar 31, 2026

Updated: tags

Apr 1, 2026

Version History

v2

Last enriched 5h ago

v2Tier C5h ago

Updated tags with CVE-2026-34401 and confirmed no exploit is available.

tags

via VulDB

v110h ago

Initial creation