Description

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.

INFO

Published Date :

2026-03-31T21:05:50.647Z

Last Modified :

2026-04-01T15:53:18.538Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34401 vulnerability.

Vendors Products
Microsoft
  • Xmlnotepad
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34401.

URL Resource
https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c cve-icon cve-icon
https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53 cve-icon cve-icon
https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21 cve-icon cve-icon
https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact