CVE-2025-9375
xmltodict 0.14.2 - XML Injection
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
24th
XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.
| CWE | CWE-91 |
| Vendor | xmltodict |
| Product | xmltodict |
| Published | Sep 1, 2025 |
| Last Updated | Apr 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for xmltodict xmltodict
Be the first to know when new unknown vulnerabilities affecting xmltodict xmltodict are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
xmltodict / xmltodict
0.14.2 < 0.15.1
References
fluidattacks.com: https://fluidattacks.com/advisories/mono github.com: https://github.com/martinblech/xmltodict github.com: https://github.com/martinblech/xmltodict/blob/v0.15.1/CHANGELOG.md github.com: https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33 github.com: https://github.com/martinblech/xmltodict/issues/377#issuecomment-3255691923 docs.python.org: https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape docs.python.org: https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.XMLGenerator