Home > Vulnerability Database > CVE-2024-31573

Mend.io Vulnerability Database

CVE-2024-31573

Good to know:

Date: October 16, 2025

When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.

Language: Java

Severity Score

4.0

Related Resources (8)

Url: https://github.com/xmlunit/xmlunit

Url: https://docs.oracle.com/en/java/javase/22/security/java-api-xml-processing-jaxp-security-guide.html#GUID-E345AA09-801E-4B95-B83D-7F0C452538AA

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-31573

Url: https://github.com/advisories/GHSA-chfm-68vv-pvw5

Url: https://github.com/xmlunit/xmlunit/issues/264

Url: https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b

Url: https://github.com/xmlunit/xmlunit/security/advisories/GHSA-chfm-68vv-pvw5

Url: https://www.mend.io/vulnerability-database/CVE-2024-31573

Severity Score

4.0

Weakness Type (CWE)

Incorrect Resource Transfer Between Spheres

CWE-669

Top Fix

Upgrade Version

Upgrade to version org.xmlunit:xmlunit-core:2.10.0

Learn More

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-31573

Good to know:

Date: October 16, 2025

Language: Java

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?