CVE-2026-12993
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A flaw was found in Apicurio Registry where DocumentBuilderAccessor blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) causing CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.
Risk Assessment
The risk is a potential XML Entity Expansion (billion-laughs) attack leading to denial of service (DoS) by exhausting server CPU and memory resources, impacting system availability.
Recommendation
Update Apicurio Registry to a patched version or manually configure DocumentBuilderFactory to disable DOCTYPE and enable FEATURE_SECURE_PROCESSING.
Original NVD description (English source)
A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.

