Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-12993
PUBLISHED
More InfoOfficial Page
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
View Known Exploited Vulnerability (KEV) details
Published At-25 Jun, 2026 | 23:23
Updated At-29 Jun, 2026 | 18:12
Rejected At-
▼CVE Numbering Authority (CNA)
Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via internal dtd subset

A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Apicurio Registry 3
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
apicurio/apicurio-registry-rhel8
CPEs
  • cpe:/a:redhat:apicurio_registry:3
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Apicurio Registry 3
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
apicurio/apicurio-registry-rhel9
CPEs
  • cpe:/a:redhat:apicurio_registry:3
Default Status
affected
Problem Types
TypeCWE IDDescription
CWECWE-776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Type: CWE
CWE ID: CWE-776
Description: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Red Hat severity rating
value:
Moderate
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-05-24 00:00:00
Made public.2026-06-10 13:00:00
Event: Reported to Red Hat.
Date: 2026-05-24 00:00:00
Event: Made public.
Date: 2026-06-10 13:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-12993
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2491692
issue-tracking
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-12993
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2491692
Resource:
issue-tracking
x_refsource_REDHAT
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found