{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6807", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-04-21T16:01:40.334Z", "datePublished": "2026-04-28T17:41:13.480Z", "dateUpdated": "2026-04-28T17:41:13.480Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-04-28T17:41:13.480Z"}, "title": "NSA GRASSMARLIN Improper Restriction of XML External Entity Reference", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-611", "description": "CWE-611", "type": "CWE"}]}], "affected": [{"vendor": "NSA", "product": "GRASSMARLIN", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to \ntrigger improper handling of XML input, which may result in unintended \nexposure of sensitive information. The flaw stems from insufficient \nhardening of the XML parsing process.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to \ntrigger improper handling of XML input, which may result in unintended \nexposure of sensitive information. The flaw stems from insufficient \nhardening of the XML parsing process."}]}], "tags": ["unsupported-when-assigned"], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "workarounds": [{"lang": "en", "value": "NSA has indicated that the GRASSMARLIN project has reached end-of-life \nstatus as of 2017 and is no longer supported. The project is archived, \nand no patches or further updates are planned or expected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "NSA has indicated that the GRASSMARLIN project has reached end-of-life \nstatus as of 2017 and is no longer supported. The project is archived, \nand no patches or further updates are planned or expected."}]}], "credits": [{"lang": "en", "value": "Grady DeRosa reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-118-01", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [{"sourceIdentifier": "ics-cert@hq.dhs.gov", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to \ntrigger improper handling of XML input, which may result in unintended \nexposure of sensitive information. The flaw stems from insufficient \nhardening of the XML parsing process."}], "id": "CVE-2026-6807", "lastModified": "2026-04-28T20:10:23.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-04-28T19:37:47.773", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T23:12:28.711884+00:00", "value": {"mitigation_remediation": ["Decommission GRASSMARLIN and migrate to a supported platform that uses hardened XML parsing.", "If decommissioning is not immediately possible, reconfigure or update the XML parser to disable external entity processing or apply a temporary patch that enforces safe handling.", "Continuously monitor for anomalous XML traffic and employ runtime monitoring to detect attempts to exploit XML-based weaknesses."], "summary": {"action": "Discontinue Use", "impact": "Sensitive data may be disclosed through XML external entity processing in GRASSMARLIN v3.2.1."}, "threat_synthesis": {"affected_systems": "The affected system is the NSA GRASSMARLIN project, version 3.2.1. No additional versions or vendors are listed in the advisory.", "description_and_impact": "A vulnerability in GRASSMARLIN v3.2.1 allows an attacker to craft session data that triggers the parsing of XML external entity references, a weakness classified as CWE-611. The inadequate hardening of the XML parser permits the application to read data from external sources specified by the attacker, potentially exposing sensitive information that the system processes or stores.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and no EPSS score is available. The vulnerability is not listed in CISA KEV. The likely attack vector is an attacker able to submit crafted XML within session data\u2014either through a remote interface that accepts XML input or via local manipulation of session files. Because the project is end\u2011of\u2011life and no patch exists, the only effective risk mitigation is to retire the application or enforce strict XML parsing safeguards."}}}}, "created": "2026-04-28T23:15:43.858421+00:00", "updated": "2026-04-28T23:15:43.858431+00:00", "vendors": []}