Cyber Resilience

CVE-2023-26119

CriticalPublic PoCRCE

Published: 03 April 2023

Published
03 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0403 88.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26119 is a critical-severity Code Injection (CWE-94) vulnerability in Htmlunit Htmlunit. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-26119 is a remote code execution flaw via XSLT processing that affects the HtmlUnit package net.sourceforge.htmlunit:htmlunit in all versions up to and including those before 3.0.0. The issue stems from insufficient restrictions on XSLT transformations, which fall under CWE-94 code injection weaknesses and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker can exploit the flaw simply by hosting a malicious webpage that triggers the vulnerable HtmlUnit component when a target application or user agent browses it, resulting in arbitrary code execution on the affected system with no user interaction or privileges required.

Advisories and patches direct users to upgrade to HtmlUnit 3.0.0 or later; the referenced commit 641325bbc84702dc9800ec7037aec061ce21956b implements the fix by addressing the unsafe XSLT handling path, and Snyk entries for the vulnerability recommend the same version upgrade as the primary mitigation.

EPSS for the CVE reached a peak of 0.0736 on 2025-01-22 before receding to the current value of 0.0403.

EU & UK References

Vulnerability details

Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

htmlunit
htmlunit
≤ 3.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References