The vulnerability is an improper restriction of XML External Entity (XXE) processing in the XMLUtils.java component of Slovensko.Digital Autogram. It allows a remote, unauthenticated attacker to send a specially crafted XML document to the /sign endpoint, causing the application to resolve external entities. This can lead to server‑side request forgery (SSRF) and unauthorized reading of local files on the host system. The primary weaknesses involved are classified under CWE‑611, indicating the processing of untrusted XML input that permits external entity resolution.

Affected systems are instances of the Slovensko.Digital Autogram application. The provided data does not specify exact affected versions, but the vulnerability is present in the code used by the application’s /sign functionality. A patch is referenced in release v2.7.2 of Autogram, yet the description does not confirm that the patch fully resolves the issue. Administrators should verify whether their deployed version includes the fix identified in the v2.7.2 release.

The CVSS base score of 8.6 places this flaw in the high‑severity range, indicating significant potential impact if exploited. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the victim to visit a malicious website that serves the custom XML payload, implying a user‑interaction vector. Once executed, the attacker can target internal resources and read sensitive files, presenting a considerable confidentiality risk.