Description
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.
Published: 2026-05-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SolidCAM‑GPPL‑IDE opens a companion .vmid file whenever a .gpp file is loaded. The parser uses XDocument.Load without any XmlReaderSettings, which in .NET 8 defaults to allowing external DTD processing. Consequently an attacker can embed entity references that resolve to local file paths, causing the application to read arbitrary files from the user’s machine. The parser can also be fed recursive or deeply nested entities, resulting in excessive memory consumption or crashes, thereby causing denial of service. The weakness is a classic XML External Entity attack (CWE‑611) coupled with a denial‑of‑service condition (CWE‑400) and restricted access control for the file system (CWE‑776).

Affected Systems

The issue applies to Anzory’s SolidCAM‑GPPL‑IDE extension for SolidCAM, affecting all releases from 1.0.0 up to, but not including, 1.0.2. Version 1.0.2 and later include a fix that sanitizes the XML input.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high risk for exposed systems. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. Based on the description, the likely attack vector is local file supply: an adversary must place a malicious .vmid file beside a .gpp file in the same directory and entice the user to open the .gpp file, which triggers the parser. Once the file is processed, disclosure or denial of service can occur. The vulnerability remains active until the patched version is deployed.

Generated by OpenCVE AI on May 8, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SolidCAM‑GPPL‑IDE to version 1.0.2 or later, which blocks external entity handling in the VMID parser.
  • Restrict the IDE to open only trusted .gpp/.vmid pairs, ensuring that the user does not open files from unverified sources.
  • Configure the underlying .NET runtime to disable DTD processing or use an XML reader with explicit XmlReaderSettings that forbids external entities, if possible.

Generated by OpenCVE AI on May 8, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.
Title SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-laughs DoS in VMID parser
Weaknesses CWE-400
CWE-611
CWE-776
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:35:29.642Z

Reserved: 2026-04-25T05:04:37.028Z

Link: CVE-2026-42212

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:32.243

Modified: 2026-05-08T22:16:32.243

Link: CVE-2026-42212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:00:25Z

Weaknesses