A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).
Conclusion & alert: CVE-2017-7375 is rated High Risk (68.4/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 2.64%). Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-28 | 2.69% | 2.64% | -0.05% |
| 2 | 2026-06-15 | 0.44% | 2.69% | +2.25% |
| 3 | 2026-05-10 | — | 0.44% | — |
Full EPSS history (21 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| 9.8 | 3.0 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2017-7375: 1 source package rows (libxml2); 15 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 0, open 15. | https://security.alpinelinux.org/vuln/CVE-2017-7375 |
debian
|
not yet assigned | CVE-2017-7375 not yet assigned priority: Debian including 1 source packages (libxml2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2017-7375 |
gentoo
|
normal | CVE-2017-7375: 1 GLSA(s) (201711-01), 1 atom(s) (dev-libs/libxml2); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2017-7375 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2017-7375 |
suse
|
medium | CVE-2017-7375 severity moderate: SUSE including 33 source package names (0.9.1:libxml2-2-2.9.4-45.1, 1.0.0:libxml2-2-2.9.4-45.1, …), 116 product×package rows across 59 product lines (Container caasp/v4/default-http-backend, Container caasp/v4/dnsmasq-nanny, … (59 product lines)): Fixed 116. | https://www.suse.com/security/cve/CVE-2017-7375/ |
ubuntu
|
medium | CVE-2017-7375 medium priority: Ubuntu including 1 source packages (libxml2), 5 status rows across 5 suites (trusty, upstream, xenial, yakkety, zesty): released 4, ignored 1. | https://ubuntu.com/security/CVE-2017-7375 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| xmlsoft | libxml2 | <= 2.9.4 | cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:* |
| debian | debian_linux | 7.0 | cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| android | 4.4.4 | cpe:2.3:o:google:android:4.4.4:*:*:*:*:*:*:* | |
| android | 5.0.2 | cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:* | |
| android | 5.1.1 | cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:* | |
| android | 6.0 | cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:* | |
| android | 6.0.1 | cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:* | |
| android | 7.0 | cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:* | |
| android | 7.1.1 | cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:* | |
| android | 7.1.2 | cpe:2.3:o:google:android:7.1.2:*:*:*:*:*:*:* | |
| xmlsoft | libxml2 | 2.9.4 | cpe:2.3:a:xmlsoft:libxml2:2.9.4:rc1:*:*:*:*:*:* |
| xmlsoft | libxml2 | 2.9.4 | cpe:2.3:a:xmlsoft:libxml2:2.9.4:rc2:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/98877 | Third Party Advisory VDB Entry |
| http://www.securitytracker.com/id/1038623 | Third Party Advisory VDB Entry |
| https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa | Patch Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1462203 | Issue Tracking Patch Third Party Advisory |
| https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e | Patch Third Party Advisory |
| https://security.gentoo.org/glsa/201711-01 | Third Party Advisory |
| https://source.android.com/security/bulletin/2017-06-01 | Patch Third Party Advisory |
| https://www.debian.org/security/2017/dsa-3952 | Third Party Advisory |