{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40882", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-22T20:33:23.304Z", "dateUpdated": "2026-04-23T13:47:07.964Z"}, "containers": {"cna": {"title": "OpenRemote has XXE in Velbus Asset Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"}], "affected": [{"vendor": "openremote", "product": "openremote", "versions": [{"version": "< 1.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:33:23.304Z"}, "descriptions": [{"lang": "en", "value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue."}], "source": {"advisory": "GHSA-g24f-mgc3-jwwc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:46:44.026868Z", "id": "CVE-2026-40882", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:47:07.964Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "OpenRemote has XXE in Velbus Asset Import", "source": {"advisory": "GHSA-g24f-mgc3-jwwc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openremote", "product": "openremote", "versions": [{"status": "affected", "version": "< 1.22.0"}]}], "references": [{"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc", "name": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:33:23.304Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40882", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T13:46:44.026868Z"}}}], "references": [{"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-23T13:47:04.000Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40882", "state": "PUBLISHED", "dateUpdated": "2026-04-22T20:33:23.304Z", "dateReserved": "2026-04-15T15:57:41.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T20:33:23.304Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F2709DF-FF1C-4D72-BFEF-FE9FC2C1ECC6", "versionEndExcluding": "1.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue."}], "id": "CVE-2026-40882", "lastModified": "2026-04-24T13:24:32.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T21:17:08.733", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.22.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openremote", "source": "cna", "vendor": "openremote"}, "product": "openremote", "vendor": "openremote"}], "analysis": {"en": {"generated_at": "2026-04-27T08:25:26.122323+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenRemote 1.22.0 or newer, where the issue is fixed.", "If an upgrade is not immediately possible, restrict access to the Velbus asset import endpoint to privileged users only and monitor for abnormal import activity.", "As a temporary workaround, disable XML external entity support in the XML parser used by the import functionality until a vendor patch is applied."], "summary": {"action": "Apply patch", "impact": "Server\u2011Side Request Forgery and file disclosure."}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of OpenRemote that use a version earlier than 1.22.0. OpenRemote is an open\u2011source Internet\u2011of\u2011Things platform, and the affected component is the Velbus asset import endpoint. Any deployment that has integrated this feature without upgrading to 1.22.0 or later is vulnerable.", "description_and_impact": "This vulnerability is an XML External Entity (XXE) flaw in the Velbus asset import feature of OpenRemote in versions prior to 1.22.0. An authenticated user who can call the import endpoint can supply crafted XML that triggers external entity resolution, enabling the server to read local files up to 1023 characters in length and to make arbitrary outbound HTTP requests (SSRF). This can lead to the disclosure of sensitive data or facilitate further exploitation of external services.", "risk_and_exploitability": "The CVSS score of 7.6 indicates high severity. Authentication is required to reach the vulnerable endpoint, so exploitation is limited to users with valid credentials. The EPSS metric is not available and the CVE is not listed in CISA KEV, suggesting no widespread public exploitation is known. Nonetheless, the combination of server\u2011side file read and SSRF could enable attackers to exfiltrate data or compromise external resources if they gain sufficient permission."}}}}, "created": "2026-04-22T21:30:27.594046+00:00", "updated": "2026-04-27T18:42:00.081030+00:00", "vendors": ["openremote", "openremote$PRODUCT$openremote"]}