RubySec

Providing security resources for the Ruby community

CVE-2026-61570 (mpxj): XXE Vulnerability in MerlinReader

XXE Vulnerability in MerlinReader

Published: June 22, 2026

SECURITY IDENTIFIERS

GEM

mpxj

SEVERITY

CVSS v3.x: 7.5 (High)

UNAFFECTED VERSIONS

< 5.5.5

PATCHED VERSIONS

>= 16.4.1

DESCRIPTION

Impact

MPXJ used the default configuration when creating a DocumentBuilder instance, which leaves doctype declarations enabled, when parsing the XML content of the ZTIMEINTERVALS column from a Merlin project SQLite file. This would allow a carefully crafted XML payload to read an arbitrary file. However, although an arbitrary file can be read, the way the resulting parsed XML is processed by MPXJ means that the data it contains is unlikely to be available for exfiltration.

Workarounds

Potential workarounds include:

  • Avoid reading Merlin project files with MPXJ
  • Only accept Merlin project files from trusted sources
  • Preprocess Merlin SQLite databases to strip doctype declarations from the ZTIMEINTERVALS column

RELATED