BugForge - Daily - Tanuki (Repeat)

Daily - Tanuki (Repeat)

This is a repeat of the daily challenge from January 20th, 2026.

---

Vulnerability Overview

An XML External Entity (XXE) vulnerability exists in the Import Deck file upload feature of the Tanuki application. The backend XML parser processes user-supplied XML documents with external entity resolution enabled, allowing attackers to read arbitrary files from the server. By submitting a crafted XML payload with an inline DTD declaring an external entity pointing to a local file path, the parser resolves the entity and discloses the file contents in the response.

Key Issues:

• The XML parser allows DTD processing and external entity expansion on user-supplied input
• No safeguards are in place to restrict access to local file system resources
• Attacker-controlled XML input is trusted and parsed directly without validation

---

Vulnerabilities Covered

• XML External Entity (XXE) Injection

---

Classification

• OWASP Top 10: A03:2021 - Injection
• Vulnerability Type: XML External Entity (XXE) Injection
• Attack Surface: File upload and server-side XML parsing functionality
• CWE: CWE-611 - Improper Restriction of XML External Entity Reference

---