Improper XML Handling in Apache SIS Leading to File Exposure
CVE-2025-68280

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Sis
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-68280?

Apache SIS contains a vulnerability due to improper handling of XML External Entity (XXE) references, allowing maliciously crafted XML files to expose sensitive local files on the server hosting the application. This issue affects various SIS services, including GeoTIFF file reading, ISO 19115 metadata parsing, and GML-defined Coordinate Reference Systems, as well as GPS Exchange Format (GPX) file parsing. Users are advised to upgrade to version 1.6 to resolve this vulnerability. In the interim, implementing restrictions on the Java XML parsing options can mitigate risk.

Affected Version(s)

Apache SIS 0.4 <= 1.5

References

https://lists.apache.org/thread/s4ggy3zbtrrn93glgo2vn52lg...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Dec 16, 2025

Credit

LEE

JSON