Base Score

MEDIUM5

CVE-2025-66371

Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.

VectorNETWORK

Published Bycve@mitre.org

Published DateNov 28, 2025, 04:16

Affected Versions(1)

peppol_py(PyPI)

Introduced0

Fixed1.1.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
peppol_py(PyPI)	0	1.1.1	N/A

Weakness Type (CWE):CWE-611

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

MEDIUM5

Weakness Type (CWE):CWE-611

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE