{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6807", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-04-21T16:01:40.334Z", "datePublished": "2026-04-28T17:41:13.480Z", "dateUpdated": "2026-04-28T17:41:13.480Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-04-28T17:41:13.480Z"}, "title": "NSA GRASSMARLIN Improper Restriction of XML External Entity Reference", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-611", "description": "CWE-611", "type": "CWE"}]}], "affected": [{"vendor": "NSA", "product": "GRASSMARLIN", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to \ntrigger improper handling of XML input, which may result in unintended \nexposure of sensitive information. The flaw stems from insufficient \nhardening of the XML parsing process.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to \ntrigger improper handling of XML input, which may result in unintended \nexposure of sensitive information. The flaw stems from insufficient \nhardening of the XML parsing process."}]}], "tags": ["unsupported-when-assigned"], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "workarounds": [{"lang": "en", "value": "NSA has indicated that the GRASSMARLIN project has reached end-of-life \nstatus as of 2017 and is no longer supported. The project is archived, \nand no patches or further updates are planned or expected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "NSA has indicated that the GRASSMARLIN project has reached end-of-life \nstatus as of 2017 and is no longer supported. The project is archived, \nand no patches or further updates are planned or expected."}]}], "credits": [{"lang": "en", "value": "Grady DeRosa reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-118-01", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [{"sourceIdentifier": "ics-cert@hq.dhs.gov", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to \ntrigger improper handling of XML input, which may result in unintended \nexposure of sensitive information. The flaw stems from insufficient \nhardening of the XML parsing process."}], "id": "CVE-2026-6807", "lastModified": "2026-04-28T20:10:23.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-04-28T19:37:47.773", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{}