GHSA-wfw6-mmmp-87xm · Severity: medium · Ecosystem: maven — Improper Input Validation in Apache Batik
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Conclusion & alert: CVE-2015-0250 is rated High Exploit Risk (72.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.94%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.86% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-30 | 1.08% | 2.94% | +1.86% |
| 2 | 2026-05-13 | 1.46% | 1.08% | -0.38% |
| 3 | 2026-03-13 | — | 1.46% | — |
Full EPSS history (24 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.4 | 2.0 | MEDIUM |
|
10.0 | 4.9 | [email protected] |
GHSA-wfw6-mmmp-87xm · Severity: medium · Ecosystem: maven — Improper Input Validation in Apache Batik
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2015-0250 not yet assigned priority: Debian including 1 source packages (batik), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2015-0250 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2015-0250 |
suse
|
medium | CVE-2015-0250 severity moderate: SUSE including 2 source package names (xmlgraphics-batik, xmlgraphics-batik-css), 2 product×package rows across 1 product lines (SUSE Linux Enterprise Module for Development Tools 15 SP2): Known Not Affected 2. | https://www.suse.com/security/cve/CVE-2015-0250/ |
ubuntu
|
medium | CVE-2015-0250 medium priority: Ubuntu including 1 source packages (batik), 5 status rows across 5 suites (lucid, precise, trusty, upstream, utopic): released 4, ignored 1. | https://ubuntu.com/security/CVE-2015-0250 |
: <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| canonical | ubuntu_linux | 12.04 | cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 14.04 | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 14.10 | cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:* |
| apache | batik | <= 1.7 | cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:* |
| redhat | jboss_enterprise_brms_platform | <= 6.1.2 | cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:* |