CVE-2026-34401

Name of the Vulnerable Software and Affected Versions XML Notepad versions prior to 2.9.0.21

Description XML Notepad, a Windows program for editing XML documents, does not disable DTD processing by default before version 2.9.0.21. This allows for the resolution of external entities. An attacker can craft a malicious XML file containing a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leading to the leakage of local file contents or the capture of the victim's NTLM credentials. The API endpoints and vulnerable parameters are not explicitly mentioned in the provided information.

Recommendations Update XML Notepad to version 2.9.0.21 or later.