How severe is CVE-2024-40896?

CVE-2024-40896 has a CVSS v3 score of 9.1 (CRITICAL).

CVE-2024-40896

Name: hci_compute_node
Author: netapp

9.1CRITICAL

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by settin

Published: 12/23/2024Updated: 11/25/2025

Description

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

AI AnalysisPowered by AI

Affected Products

xmlsoftlibxml2

netapphci_compute_node

netappsolidfire_\&_hci_management_node

netappsolidfire_\&_hci_storage_node

netapph300s_firmware

netapph300s

netapph410s_firmware

netapph410s

netapph500s_firmware

netapph500s

netapph700s_firmware

netapph700s

netapph410c_firmware

netapph410c

References

https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
Issue Tracking
https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
Issue Tracking
https://security.netapp.com/advisory/ntap-20250228-0004/
Third Party Advisory