Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

Description

A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.

NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x

Basic Information

ID CVE-2026-23822

Source hpe

Published May 12, 2026 at 18:37

Modified May 12, 2026 at 19:25

Affected Product

Vendor Hewlett Packard Enterprise (HPE)

Product ArubaOS (AOS)

Version 8.13.0.0

Affected Versions Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 8.13.0.0
Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 8.12.0.0
Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 8.10.0.0

CWE Classification

CWE-776

References

support.hpe.com /hpesc/public/docDisplay

{
    "lastseen": "",
    "description": "A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.\n\n\n\n\n\n\n\n\nNOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x",
    "published": "2026-05-12T18:37:08.787Z",
    "modified": "2026-05-12T19:25:55.101Z",
    "type": "cve",
    "title": "Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service",
    "source": "hpe",
    "references": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US",
    "id": "CVE-2026-23822",
    "bulletinFamily": "",
    "cwe": [
        "CWE-776"
    ],
    "cvelist": null,
    "sourceData": "Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 8.13.0.0\nHewlett Packard Enterprise (HPE) ArubaOS (AOS) 8.12.0.0\nHewlett Packard Enterprise (HPE) ArubaOS (AOS) 8.10.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ArubaOS (AOS)",
    "version": "8.13.0.0",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service_CVE-2026-23822