CVE-2026-3511

High

Published: 19 March 2026

Published

19 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0006 19.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3511 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Binary (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the XXE vulnerability in XMLUtils.java by applying the vendor patch released in Autogram v2.7.2.

SI-10 Information Input Validation good match

prevent

Validates XML inputs to the /sign endpoint to reject malicious external entity references that enable SSRF and local file access.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings for XML parsers to disable external entity resolution, preventing exploitation of CWE-611.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

XXE directly enables local file read (T1005) and SSRF for internal network probing (T1046).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation…

requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.

Deeper analysisAI

CVE-2026-3511 is an Improper Restriction of XML External Entity Reference vulnerability (CWE-611) in XMLUtils.java within the Slovensko.Digital Autogram application. Published on 2026-03-19T12:16:18.647, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). The issue enables remote unauthenticated attackers to perform SSRF attacks and gain unauthorized access to local files on the filesystem of systems running the vulnerable application.

Exploitation involves a victim visiting a specially crafted website that transmits a request containing a malicious XML document to the /sign endpoint of the local HTTP server operated by Autogram. A remote unauthenticated attacker can leverage this to conduct SSRF and read sensitive local files, achieving high confidentiality impact across changed scope.

The GitHub release for Autogram v2.7.2 provides a patch addressing this vulnerability. Further details on the issue and discovery are available in the advisory at https://blog.binary.house/2026/03/pripadova-studia-ako-sme-s-claude-code.html.