CVE-2026-42212

UNKNOWN 0.0

SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-laughs DoS in VMID parser

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.

CWE	CWE-400 CWE-611 CWE-776
Vendor	anzory
Product	solidcam-gppl-ide
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for anzory solidcam-gppl-ide

Be the first to know when new unknown vulnerabilities affecting anzory solidcam-gppl-ide are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

anzory / SolidCAM-GPPL-IDE

>= 1.0.0, < 1.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9 github.com: https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d github.com: https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102--2026-04-20 github.com: https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2