CVE-2024-13971 HIGH

CVE-2024-13971: Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro

Vendor Lobster Gmbh
Product Lobster_pro
Weakness CWE-611 · XXE
Published April 30, 2026
Last update May 17, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/V:C

What the vulnerability does

01Description

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

Key dates

02Disclosure timeline

April 30, 2026 CVE published
May 17, 2026 Record updated