CVE-2026-34401

MEDIUM 6.5

XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading

CVSS Score

6.5

EPSS Score

0.2%

EPSS Percentile

45th

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

CWE	CWE-611
Vendor	microsoft
Product	xmlnotepad
Ecosystems	Windows .NET Azure
Industries	TechnologyEnterprise
Published	Mar 31, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for microsoft xmlnotepad

Be the first to know when new medium vulnerabilities affecting microsoft xmlnotepad are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

microsoft / XmlNotepad

< 2.9.0.21

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch github.com: https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c github.com: https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53 github.com: https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21