CVE-2025-9375

Summary

XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1.

NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.

Affected Software

VendorProductVersion RangeStatus
xmltodictxmltodict0.14.2 < 0.15.1affected

Weaknesses

  • CWE-91: CWE-91 XML Injection (aka Blind XPath Injection)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References