PT-2025-39843 · Pypi · Xml2Rfc

Published

2025-09-10

·

Updated

2025-09-10

·

CVE-2025-11059

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Impact

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

Workarounds

Test untrusted input with link elements with rel="attachment" before processing.

References

This is related to GHSA-cfmv-h8fx-85m7.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2025-11059
GHSA-9MV7-3C64-MMQW

Affected Products

Xml2Rfc