A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The patch is identified as 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.
[
{
"id": "CVE-2016-15026-57eb8ac0",
"target": {
"function": "initDocBuilderFactory",
"file": "src/main/java/com/dd/plist/XMLPropertyListParser.java"
},
"signature_version": "v1",
"source": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c",
"signature_type": "Function",
"digest": {
"function_hash": "73818157104332655743734305318668487658",
"length": 162.0
},
"deprecated": false
},
{
"id": "CVE-2016-15026-7303fdd7",
"target": {
"function": "parse",
"file": "src/main/java/com/dd/plist/XMLPropertyListParser.java"
},
"signature_version": "v1",
"source": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c",
"signature_type": "Function",
"digest": {
"function_hash": "271063577363156928844205919802326829115",
"length": 238.0
},
"deprecated": false
},
{
"id": "CVE-2016-15026-8bde8b8d",
"target": {
"function": "getDocBuilder",
"file": "src/main/java/com/dd/plist/XMLPropertyListParser.java"
},
"signature_version": "v1",
"source": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c",
"signature_type": "Function",
"digest": {
"function_hash": "295560464668469150273073711917167493982",
"length": 497.0
},
"deprecated": false
},
{
"id": "CVE-2016-15026-9be40edc",
"target": {
"function": "resolveEntity",
"file": "src/main/java/com/dd/plist/XMLPropertyListParser.java"
},
"signature_version": "v1",
"source": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c",
"signature_type": "Function",
"digest": {
"function_hash": "84196759086702326352057667526542304220",
"length": 246.0
},
"deprecated": false
},
{
"id": "CVE-2016-15026-b17aac16",
"target": {
"function": "parse",
"file": "src/main/java/com/dd/plist/XMLPropertyListParser.java"
},
"signature_version": "v1",
"source": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c",
"signature_type": "Function",
"digest": {
"function_hash": "271063577363156928844205919802326829115",
"length": 238.0
},
"deprecated": false
},
{
"id": "CVE-2016-15026-d53a9e2d",
"target": {
"file": "src/main/java/com/dd/plist/XMLPropertyListParser.java"
},
"signature_version": "v1",
"source": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c",
"signature_type": "Line",
"digest": {
"line_hashes": [
"154911896651691659066614047089007333525",
"288904762415930939762016160230504585976",
"170724025471137522039665991575538022768",
"128195611283003956085999530999736042529",
"336038780350479206410207518256628404558",
"214778586371739129180048470290186052760",
"92273930438447614724095986035769461152",
"104080191159220040594950137681646628005",
"43665763489909549328341195293353238602",
"236315981987779014385794075853837338009",
"50237111245684656740358613084329515834",
"189698960561764864748111068795818110089",
"288696968380454899439737896412138981380",
"98958089463804606263813501255120396861",
"257122689100532031558752014366251332240",
"122339393279653980590629437825781955186",
"275318846930166628673316836913241031019",
"321099633839438791686078115350965346609",
"98202338607271692886870259291360560092",
"171300180067330278861596006982037052667",
"120512363601449848410898898414651475790",
"243845392582626440622470582767216856885",
"284706865079888253831891300959800471403",
"273356787388331824968974453424826149992",
"158962672578729372529708767969367409584",
"250337601179638173471837012255273722667",
"338300106518233547904991893982827581832",
"315534818560412095188990206378345087094",
"245379904336459745863939567063470713931",
"210620716367728926251145648727017701796",
"37658285068073842668822798302582672152",
"291897363865647450145935302805449405658",
"23015680672744412473253096332375960406",
"292484501579917063018693097664403513963",
"281029406429438253007897363487816369474",
"298561553491604974378074956338872313592",
"170265570485474799894518003612854395858",
"321885962760570547065202733582932568860",
"307676299899332476585584245588363172235",
"209421244795335554913006043598681452009",
"66264452883119672808393837573048511366",
"283836740789320954656828232964009427452",
"175951704646020278883056294052842081546",
"26003255014130169274027039694564342386",
"108587633537507210242609878158511307392"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2016-15026-ea4c22b5",
"target": {
"function": "parse",
"file": "src/main/java/com/dd/plist/XMLPropertyListParser.java"
},
"signature_version": "v1",
"source": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c",
"signature_type": "Function",
"digest": {
"function_hash": "37951755619349760367888361413720397244",
"length": 212.0
},
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-15026.json"
"2026-04-11T03:43:34Z"