CVE-2026-6807

MEDIUM 5.5

NSA GRASSMARLIN Improper Restriction of XML External Entity Reference

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.

CWE	CWE-611
Vendor	nsa
Product	grassmarlin
Published	Apr 28, 2026

Stay Ahead of the Next One

Get instant alerts for nsa grassmarlin

Be the first to know when new medium vulnerabilities affecting nsa grassmarlin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

NSA / GRASSMARLIN

All versions

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01 github.com: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json

Credits

Grady DeRosa reported this vulnerability to CISA.