CVE 7.1 HIGH

SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-laughs DoS in VMID parser_CVE-2026-42212

May 8, 2026 invoker category_cve
7.1 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.

Basic Information

ID CVE-2026-42212
Source GitHub_M
Published May 8, 2026 at 21:35

Affected Product

Vendor anzory
Product SolidCAM-GPPL-IDE
Version >= 1.0.0, < 1.0.2
Affected Versions anzory SolidCAM-GPPL-IDE >= 1.0.0, < 1.0.2

CWE Classification

CWE-400 CWE-611 CWE-776

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.