CVE Catalog

CVE-2026-12993

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A flaw was found in Apicurio Registry where DocumentBuilderAccessor blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) causing CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.

Risk Assessment

The risk is a potential XML Entity Expansion (billion-laughs) attack leading to denial of service (DoS) by exhausting server CPU and memory resources, impacting system availability.

Recommendation

Update Apicurio Registry to a patched version or manually configure DocumentBuilderFactory to disable DOCTYPE and enable FEATURE_SECURE_PROCESSING.

Original NVD description (English source)

A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS