Description
XML Injection vulnerability in xmltodict allows Input Data Manipulation.
This issue affects xmltodict: from 0.14.2 before 0.15.1.

NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.
Published: 2025-09-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Input data manipulation via XML injection
Action: Patch
AI Analysis

Impact

xmltodict's unparse function delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, which performs no validation of element names. This flaw lets attackers inject crafted XML that can manipulate the output of unparse, potentially altering the structure or contents of data processed by downstream consumers. The issue is identified as CWE‑91 and can lead to data corruption or unintended data processing. The vulnerability is reported in versions 0.14.2 through just before 0.15.1.

Affected Systems

The vulnerability affects the xmltodict library across all supported operating systems—Linux, macOS, and Windows—for every release from 0.14.2 up to the point immediately before 0.15.1. Any application that imports xmltodict and uses the unparse facility in those versions is potentially exposed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to code that calls xmltodict.unparse; there is no documented network-facing vector. The risk therefore is limited to contexts where an attacker can influence input to the unparse routine, enabling data manipulation.

Generated by OpenCVE AI on April 22, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade xmltodict to 0.15.1 or later.
  • Audit code paths that call xmltodict.unparse and add explicit validation of element names before serialization.
  • If upgrading is infeasible, wrap XMLGenerator or implement a sanitization routine to reject or escape disallowed element names.

Generated by OpenCVE AI on April 22, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26350 XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1.
Ubuntu USN Ubuntu USN USN-7753-1 xmltodict vulnerability
History

Mon, 20 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.

Wed, 03 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Xmltodict
Xmltodict xmltodict
CPEs cpe:2.3:a:xmltodict:xmltodict:*:*:linux:*:*:*:*:*
cpe:2.3:a:xmltodict:xmltodict:*:*:macos:*:*:*:*:*
cpe:2.3:a:xmltodict:xmltodict:*:*:windows:*:*:*:*:*
Vendors & Products Xmltodict
Xmltodict xmltodict

Thu, 11 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Sep 2025 20:45:00 +0000

Type Values Removed Values Added
Description XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2. XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1.
References

Fri, 05 Sep 2025 02:30:00 +0000

Type Values Removed Values Added
References

Wed, 03 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Tue, 02 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Xmltodict Project
Xmltodict Project xmltodict
Vendors & Products Xmltodict Project
Xmltodict Project xmltodict

Mon, 01 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2.
Title xmltodict 0.14.2 - XML Injection
Weaknesses CWE-91
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xmltodict Xmltodict
Xmltodict Project Xmltodict
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-04-20T21:45:55.337Z

Reserved: 2025-08-22T22:03:47.627Z

Link: CVE-2025-9375

cve-icon Vulnrichment

Updated: 2025-09-05T01:47:50.016Z

cve-icon NVD

Status : Deferred

Published: 2025-09-01T17:15:33.063

Modified: 2026-04-20T22:16:22.360

Link: CVE-2025-9375

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-01T16:43:18Z

Links: CVE-2025-9375 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses