Ecosystem	Package	Version

Vulnerabilities

CVE-2026-24515

CVE-2026-24515

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Published Jan 26, 2026

https://github.com/libexpat/libexpat/pull/1131

CVSS ScoreLow

2.5

Ecosystem	Package	Version


conan	bincrafters/expat	2.2.5
cocoapods	expat	2.1.1
cocoapods	expat	2.1
cocoapods	expat	2.2
conan	expat	2.2.10
conan	expat	2.2.7
conan	expat	2.2.8
conan	expat	2.2.9
conan	expat	2.3.0
conan	expat	2.4.1
conan	expat	2.4.2
conan	expat	2.4.3
conan	expat	2.4.4
conan	expat	2.4.5
conan	expat	2.4.6
conan	expat	2.4.7
conan	expat	2.4.8
conan	expat	2.4.9
conan	expat	2.5.0
conan	expat	2.6.0
conan	expat	2.6.1
conan	expat	2.6.2
conan	expat	2.6.3
conan	expat	2.6.4
conan	expat	2.7.0
conan	expat	2.7.1
conan	expat	2.7.2
conan	expat	2.7.3
nuget	expat	2.1.0.10
nuget	expat	2.1.0.11
nuget	expat	2.1.0.4
nuget	expat	2.1.0.5
nuget	expat	2.1.0.6
nuget	expat	2.1.0.8
rpm	expat	1.95.8-11.el5_8
rpm	expat	1.95.8-8.3.el5_5.3
rpm	expat	2.0.1-11.el6_2
rpm	expat	2.0.1-13.el6_8
rpm	expat	2.0.1-9.1.el6
rpm	expat	2.1.0-10.el7_3
rpm	expat	2.1.0-11.el7
rpm	expat	2.1.0-12.0.1.el7
rpm	expat	2.1.0-12.el7
rpm	expat	2.1.0-14.0.1.el7_9
rpm	expat	2.1.0-15.0.1.el7_9
rpm	expat	2.1.0-8.el7
rpm	expat	2.2.10-12.el9_0.2
rpm	expat	2.2.10-12.el9_0.3
rpm	expat	2.2.10-12.el9_0
rpm	expat	2.2.5-10.0.1.el8

CVE-2026-24515 | Components Impacted | Sonatype Guide | Sonatype Guide