CVE-2026-8396
Netcad Software · NetGIS
NetGIS contains an XML external entity (XXE) vulnerability that permits unauthorized information disclosure via improper restriction of XML references.
Executive summary
An unauthenticated XML external entity vulnerability in NetGIS creates a high risk of unauthorized information disclosure and potential system impact.
Vulnerability
This is an XML external entity (XXE) vulnerability (CWE-611), which occurs when an application improperly processes XML input, allowing an unauthenticated remote attacker to potentially read local files or perform server-side request forgery.
Business impact
Successful exploitation allows an attacker to access sensitive internal files, which could lead to further system compromise or the theft of credentials and configuration data. The CVSS score of 7.5 reflects the high potential for confidentiality loss and the lack of authentication required to execute the attack.
Remediation
Immediate Action: Update NetGIS to version 7.2.2 or later to ensure proper handling of XML inputs and closure of the XXE vector.
Proactive Monitoring: Monitor server logs for XML-based anomalies or requests containing unexpected DOCTYPE declarations.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block malicious XML payloads and prevent the processing of external entities.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk posed by this XXE vulnerability is significant, as it can be leveraged to gain deep visibility into the underlying server environment. Administrators must verify their current version and apply the required update immediately to secure the NetGIS instance.