CVE-2026-42212

Source
https://cve.org/CVERecord?id=CVE-2026-42212
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42212.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42212
Aliases
  • GHSA-92vg-f4fq-fxm9
Published
2026-05-08T21:35:29.642Z
Modified
2026-07-08T08:03:14.809811227Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-laughs DoS in VMID parser
Details

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42212.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400",
        "CWE-611",
        "CWE-776"
    ]
}
References

Affected packages

Git / github.com/anzory/solidcam-gppl-ide

Affected ranges

Type
GIT
Repo
https://github.com/anzory/solidcam-gppl-ide
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.0.2"
        },
        {
            "introduced": "0"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42212.json"