HIGH🇵🇱 Wersja polska

CVE-2025-24404

CVSS 8.8v3.1pub. 2025-09-09upd. 2025-11-04

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Apache Hertzbeat

    APP
    Apache
    < 1.7.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-51653CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — JNDI injection RCE przez endpoint JMX

CVE-2023-51388CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — script injection via AviatorEvaluator (RCE)

CVE-2023-51389CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — YAML deserialization w endpoincie /define/yml

CVE-2026-24343HIGH8.8ten sam produkt

Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat...

CVE-2025-48208HIGH8.8ten sam produkt

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache H...