JLSEC-2026-468

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-468.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-468.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-468

Upstream

CVE-2024-40896

Published

2026-05-07T16:59:28.152Z

Modified

2026-05-07T17:15:12.408235Z

Summary

[none]

Details

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

Database specific

{
    "sources": [
        {
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-40896",
            "database_specific": {
                "status": "Analyzed"
            },
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40896",
            "modified": "2025-11-25T13:32:32.960Z",
            "id": "CVE-2024-40896",
            "imported": "2026-05-07T15:22:30.697Z",
            "published": "2024-12-23T17:15:08.400Z"
        }
    ],
    "license": "CC-BY-4.0"
}

References

Affected packages

Julia / XML2_jll

Package

Name: XML2_jll
Purl: pkg:julia/XML2_jll?uuid=02c8fc9c-b97f-50b9-bbe4-9be30ff0a78a

Affected ranges

Type: SEMVER
Events: Introduced

2.11.5+0

Fixed

2.13.3+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-468.json"