{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3511", "assignerOrgId": "bc375322-d3d7-4481-b261-e29662236cfd", "state": "PUBLISHED", "assignerShortName": "SK-CERT", "dateReserved": "2026-03-04T10:42:40.045Z", "datePublished": "2026-03-19T11:25:44.800Z", "dateUpdated": "2026-03-19T13:15:06.878Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bc375322-d3d7-4481-b261-e29662236cfd", "shortName": "SK-CERT", "dateUpdated": "2026-03-19T11:34:05.288Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}, {"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "affected": [{"vendor": "Slovensko.Digital", "product": "Autogram", "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.<br><br><br>"}]}], "references": [{"url": "https://github.com/slovensko-digital/autogram/releases/tag/v2.7.2"}, {"url": "https://blog.binary.house/2026/03/pripadova-studia-ako-sme-s-claude-code.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}}], "timeline": [{"time": "2026-03-02T23:00:00.000Z", "lang": "en", "value": "Vulnerability discovered"}, {"time": "2026-03-02T23:00:00.000Z", "lang": "en", "value": "Vulnerability reported to developer"}, {"time": "2026-03-02T23:00:00.000Z", "lang": "en", "value": "Developer patched the vulnerability"}], "credits": [{"lang": "en", "value": "Martin Orem from Binary House", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:14:58.232031Z", "id": "CVE-2026-3511", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:15:06.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3511", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:14:58.232031Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:15:02.806Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Martin Orem from Binary House"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}, {"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Slovensko.Digital", "product": "Autogram", "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-02T23:00:00.000Z", "value": "Vulnerability discovered"}, {"lang": "en", "time": "2026-03-02T23:00:00.000Z", "value": "Vulnerability reported to developer"}, {"lang": "en", "time": "2026-03-02T23:00:00.000Z", "value": "Developer patched the vulnerability"}], "references": [{"url": "https://github.com/slovensko-digital/autogram/releases/tag/v2.7.2"}, {"url": "https://blog.binary.house/2026/03/pripadova-studia-ako-sme-s-claude-code.html"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.", "supportingMedia": [{"type": "text/html", "value": "Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.<br><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "bc375322-d3d7-4481-b261-e29662236cfd", "shortName": "SK-CERT", "dateUpdated": "2026-03-19T11:34:05.288Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3511", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:15:06.878Z", "dateReserved": "2026-03-04T10:42:40.045Z", "assignerOrgId": "bc375322-d3d7-4481-b261-e29662236cfd", "datePublished": "2026-03-19T11:25:44.800Z", "assignerShortName": "SK-CERT"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application."}], "id": "CVE-2026-3511", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "incident@nbu.gov.sk", "type": "Secondary"}]}, "published": "2026-03-19T12:16:18.647", "references": [{"source": "incident@nbu.gov.sk", "url": "https://blog.binary.house/2026/03/pripadova-studia-ako-sme-s-claude-code.html"}, {"source": "incident@nbu.gov.sk", "url": "https://github.com/slovensko-digital/autogram/releases/tag/v2.7.2"}], "sourceIdentifier": "incident@nbu.gov.sk", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "incident@nbu.gov.sk", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Autogram", "source": "cna", "vendor": "Slovensko.Digital"}, "product": "autogram", "vendor": "slovensko.digital"}], "analysis": {"en": {"generated_at": "2026-03-19T12:20:15.397050+00:00", "value": {"mitigation_remediation": ["Update Autogram to the latest released version (e.g., v2.7.2) to obtain the vendor\u2019s fix.", "If an update is not immediately possible, restrict or disable the /sign endpoint for unauthenticated access and configure the application to reject external XML entity references.", "Apply network segmentation or firewall rules to prevent the application from initiating outbound connections to untrusted hosts, mitigating SSF potential."], "summary": {"action": "Immediate Patch", "impact": "Server Side Request Forgery and Local File Disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems are instances of the Slovensko.Digital Autogram application. The provided data does not specify exact affected versions, but the vulnerability is present in the code used by the application\u2019s /sign functionality. A patch is referenced in release v2.7.2 of Autogram, yet the description does not confirm that the patch fully resolves the issue. Administrators should verify whether their deployed version includes the fix identified in the v2.7.2 release.", "description_and_impact": "The vulnerability is an improper restriction of XML External Entity (XXE) processing in the XMLUtils.java component of Slovensko.Digital Autogram. It allows a remote, unauthenticated attacker to send a specially crafted XML document to the /sign endpoint, causing the application to resolve external entities. This can lead to server\u2011side request forgery (SSRF) and unauthorized reading of local files on the host system. The primary weaknesses involved are classified under CWE\u2011611, indicating the processing of untrusted XML input that permits external entity resolution.", "risk_and_exploitability": "The CVSS base score of 8.6 places this flaw in the high\u2011severity range, indicating significant potential impact if exploited. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the victim to visit a malicious website that serves the custom XML payload, implying a user\u2011interaction vector. Once executed, the attacker can target internal resources and read sensitive files, presenting a considerable confidentiality risk."}}}}, "created": "2026-03-20T08:56:54.262993+00:00", "title": "Unrestricted XML External Entity Enables SSRF and Local File Disclosure in Slovensko.Digital Autogram", "updated": "2026-03-20T14:15:03.631059+00:00", "vendors": ["slovensko.digital", "slovensko.digital$PRODUCT$autogram"]}