Mustangproject allows exfiltrating files via XXE attacks · CVE-2025-66372 · GitHub Advisory Database · GitHub

Mustangproject allows exfiltrating files via XXE attacks

Low severity GitHub Reviewed Published Nov 28, 2025 to the GitHub Advisory Database • Updated Dec 1, 2025

Package

org.mustangproject:library (Maven)

Affected versions

< 2.16.3

Patched versions

2.16.3

org.mustangproject:validator (Maven)

< 2.16.3

2.16.3

Description

Mustang before 2.16.3 allows exfiltrating files via XXE attacks.

References

Published by the National Vulnerability Database

Nov 28, 2025

Published to the GitHub Advisory Database Nov 28, 2025

Reviewed Dec 1, 2025

Last updated Dec 1, 2025

Severity

Low

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N