CVE-2026-34401 - Vulnerability Details

- XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading

Description

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

Published: 2026-03-31

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

XML Notepad provides an interface for XML documents. Prior to version 2.9.0.21 it does not disable DTD processing by default, which allows external entities to be automatically resolved. An attacker can craft a malicious XML file containing a DTD that causes XML Notepad to make outbound HTTP or SMB requests, potentially leaking local file contents or capturing cached NTLM credentials. The vulnerability is classified under CWE‑611, exposing sensitive data.

Affected Systems

The flaw affects Microsoft XML Notepad running on Windows platforms. Any installation of XML Notepad before version 2.9.0.21 is susceptible. The issue applies to the default configuration where DTD processing remains enabled.

Risk and Exploitability

The CVSS base score is 6.5, indicating moderate severity. EPSS shows a less than 1% chance of exploitation in the next year, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is that a user must open a crafted XML file in XML Notepad; the vulnerability is local and does not require network access to the attacker. Exploitability is limited to contexts where the user has permission to access the file, but once triggered it can exfiltrate arbitrary file contents or capture session credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

microsoft

XmlNotepad

affected

Version	Status	Constraints
`< 2.9.0.21`	affected	—

Configuration 1 [-]

cpe:2.3:a:microsoft:xml_notepad:*:*:*:*:*:windows:*:*

No data.

Vendor Product Confidence Versions

Microsoft

Xmlnotepad

100%

Version	Status	Scheme	Platform
`[0,2.9.0.21)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade XML Notepad to version 2.9.0.21 or later.
If upgrading cannot be performed immediately, restrict XML Notepad's outbound network access by configuring firewall rules or disabling internet and SMB shares.

Generated by OpenCVE AI on April 13, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00285.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c
https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53
https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21
https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch

History

Mon, 13 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft xml Notepad
CPEs		cpe:2.3:a:microsoft:xml_notepad::::::windows::*
Vendors & Products		Microsoft xml Notepad

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft xmlnotepad
Vendors & Products		Microsoft Microsoft xmlnotepad

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.
Title		XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading
Weaknesses		CWE-611
References		https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53 https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21 https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

Subscriptions

Microsoft Xml Notepad Xmlnotepad

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T21:05:50.647Z

Updated: 2026-04-01T15:53:18.538Z

Reserved: 2026-03-27T13:45:29.620Z

Link: CVE-2026-34401

Vulnrichment

Updated: 2026-04-01T15:45:51.351Z

NVD

Status : Analyzed

Published: 2026-03-31T22:16:18.490

Modified: 2026-04-13T15:19:47.710

Link: CVE-2026-34401

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:42:15Z

Weaknesses

CWE-611

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object