EXECUTIVE SUMMARY:
A high-severity vulnerability in CVE-2026-40882 OpenRemote Manager that improperly processes attacker-controlled XML during Velbus asset imports, allowing authenticated users with import access to exploit XML External Entity (XXE) behavior. Successful exploitation may enable limited local file disclosure from the server runtime, provided the targeted file content is under a size threshold, and could also facilitate server-side request forgery (SSRF). Organizations should apply the latest security updates promptly and restrict asset import permissions to trusted users. The vulnerability has a CVSS score of 7.6.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A high-severity vulnerability in CVE-2026-40882 OpenRemote Manager that improperly processes attacker-controlled XML during Velbus asset imports, allowing authenticated users with import access to exploit XML External Entity (XXE) behavior. Successful exploitation may enable limited local file disclosure from the server runtime, provided the targeted file content is under a size threshold, and could also facilitate server-side request forgery (SSRF). Organizations should apply the latest security updates promptly and restrict asset import permissions to trusted users. The vulnerability has a CVSS score of 7.6.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-g24f-mgc3-jwwc [/emaillocker]