In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Affected Packages

Maven org.eclipse.lyo:lyo-parent

Affected versions: 1.0.0 (fixed in 5.0.0.Final)

Related CVEs

CVE-2021-41042

Key Information

GHSA ID

GHSA-6296-mvgp-27hp

Published

July 8, 2022 12:00 AM

Last Modified

July 8, 2022 5:53 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.eclipse.lyo:lyo-parent

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.