CVE-2026-6807 PUBLISHED

NSA GRASSMARLIN Improper Restriction of XML External Entity Reference

Assigner: icscert
Reserved: 21.04.2026 Published: 28.04.2026 Updated: 28.04.2026

A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	NSA
Product	GRASSMARLIN
Versions	Default: unaffected Version All versions is affected

Workarounds

NSA has indicated that the GRASSMARLIN project has reached end-of-life status as of 2017 and is no longer supported. The project is archived, and no patches or further updates are planned or expected.

CVE-2026-6807 PUBLISHED

NSA GRASSMARLIN Improper Restriction of XML External Entity Reference

Metrics

Product Status

Workarounds

Credits

References

Problem Types