CVE-2026-34401

medium

Microsoft

CVSS v3 Base Score

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Score

0.2%

Exploitation probability in 30 days

Top 53% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Confidentiality

High

Integrity

None

Availability

None

Published: March 31, 2026 (43 days ago)

Last Modified: April 13, 2026

Vendor: Microsoft

Source: NVD

Description

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

CWE

CWE-611

Affected Products

microsoft xml notepad

References

🔗 github.com 🔗 github.com 🔗 github.com 🔗 github.com 🔗 github.com

CVE-2026-34401

Vulnerability Report

Description

CWE

Affected Products

References