Anzory

**Name of the Vulnerable Software and Affected Versions** SolidCAM-GPPL-IDE versions 1.0.0 through 1.0.1 **Description** Opening a .gpp file causes the language server to parse a companion .vmid file from the same directory. The VMID parser uses `XDocument.Load(path)` without `XmlReaderSettings`, which in .NET 8 allows Document Type Definition (DTD) processing. This enables XML External Entity (XXE) injection—a technique where an application processes external entities within an XML document—allowing a malicious .vmid file to disclose local files via external entity references, exhaust memory through recursive entity expansion, or cause a denial of service via oversized or deeply nested XML. **Recommendations** Update to version 1.0.2.