CVE-2025-1781 Information

Description

There is a XXE in W3CSS Validator versions before cssval-20250226 that allows an attacker to use specially-crafted XML objects to coerce server-side request forgery (SSRF).  This could be exploited to read arbitrary local files if an attacker has access to exception messages.

Reference

https://github.com/google/security-research/security/advisories/GHSA-745m-xmq6-g6x7