CVE-2026-12975

Summary

A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-611: Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

Apicurio/apicurio-registry: apicurio-registry: Unhardened SAXParser in content-type detection leads to blind XXE / SSRF / billion-laughs DoS

Additional References

References