CVE-2026-42212

Name of the Vulnerable Software and Affected Versions SolidCAM-GPPL-IDE versions 1.0.0 through 1.0.1

Description Opening a .gpp file causes the language server to parse a companion .vmid file from the same directory. The VMID parser uses XDocument.Load(path) without XmlReaderSettings, which in .NET 8 allows Document Type Definition (DTD) processing. This enables XML External Entity (XXE) injection—a technique where an application processes external entities within an XML document—allowing a malicious .vmid file to disclose local files via external entity references, exhaust memory through recursive entity expansion, or cause a denial of service via oversized or deeply nested XML.

Recommendations Update to version 1.0.2.