7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-15026

GHSA ID

GHSA-4jx2-hvqw-93j9

EPSS Score

0.1972%

CWE

CWE-611

Published

2/20/2023

Updated

10/20/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-15026

CVE-2016-15026: dd-plist XML External Entitly vulnerability

A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-15026

GHSA ID

GHSA-4jx2-hvqw-93j9

EPSS Score

0.1972%

CWE

CWE-611

Published

2/20/2023

Updated

10/20/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.googlecode.plist:dd-plist	maven	< 1.18	1.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in pre-1.18 versions. Key indicators:

The commit patching CVE-2016-15026 shows significant changes to XMLPropertyListParser.java's DocumentBuilderFactory configuration
Pre-patch code lacked features like setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
The original EntityResolver only handled Apple DTDs but didn't block other external entities
All XML parsing flows went through getDocBuilder(), making it the central vulnerable component
The NVD description explicitly cites improper restriction of XML external entity references as the root cause

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in **r***t **-plist *.** *n* *l*ssi*i** *s pro*l*m*ti*. *****t** *y t*is issu* is som* unknown *un*tion*lity. T** m*nipul*tion l***s to xml *xt*rn*l *ntity r***r*n**. *n *tt**k **s to ** *ppro***** lo**lly. Up*r**in* to v*rs

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in pr*-*.** v*rsions. K*y in*i**tors: *. T** *ommit p*t**in* *V*-****-***** s*ows si*ni*i**nt ***n**s to XMLProp*rtyListP*rs*r.j*v*'s *o*um*nt*uil**r***tory *on*i*ur*tion *. Pr*-p*t** *o*

7.8

Basic Information

Concerned about an active attack path?

CVE-2016-15026: dd-plist XML External Entitly vulnerability

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI