Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-8gtd-vkd5-2uat
Vulnerability ID VCID-8gtd-vkd5-2uat
Aliases CVE-2016-3674
GHSA-rgh3-987h-wpmw
Summary
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-611 Improper Restriction of XML External Entity Reference
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
cvssv3.1 7.5 http://rhn.redhat.com/errata/RHSA-2016-2822.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2016-2822.html
cvssv3.1 7.5 http://rhn.redhat.com/errata/RHSA-2016-2823.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2016-2823.html
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3674.json
epss 0.04224 https://api.first.org/data/v1/epss?cve=CVE-2016-3674
epss 0.04224 https://api.first.org/data/v1/epss?cve=CVE-2016-3674
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-rgh3-987h-wpmw
cvssv3.1 7.5 https://github.com/x-stream/xstream
generic_textual HIGH https://github.com/x-stream/xstream
cvssv3.1 7.5 https://github.com/x-stream/xstream/issues/25
generic_textual HIGH https://github.com/x-stream/xstream/issues/25
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2016-3674
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2016-3674
cvssv3.1 7.5 https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
generic_textual HIGH https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
cvssv3.1 7.5 http://www.debian.org/security/2016/dsa-3575
generic_textual HIGH http://www.debian.org/security/2016/dsa-3575
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2016/03/25/8
generic_textual HIGH http://www.openwall.com/lists/oss-security/2016/03/25/8
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2016/03/28/1
generic_textual HIGH http://www.openwall.com/lists/oss-security/2016/03/28/1
cvssv3.1 7.5 http://www.securityfocus.com/bid/85381
generic_textual HIGH http://www.securityfocus.com/bid/85381
cvssv3.1 7.5 http://www.securitytracker.com/id/1036419
generic_textual HIGH http://www.securitytracker.com/id/1036419
cvssv3.1 7.5 http://x-stream.github.io/changes.html#1.4.9
generic_textual HIGH http://x-stream.github.io/changes.html#1.4.9
Reference id Reference type URL
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
http://rhn.redhat.com/errata/RHSA-2016-2822.html
http://rhn.redhat.com/errata/RHSA-2016-2823.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3674.json
https://api.first.org/data/v1/epss?cve=CVE-2016-3674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674
https://github.com/x-stream/xstream
https://github.com/x-stream/xstream/commit/25c6704bea149ee93c294ae5b6e0aecd182fea88
https://github.com/x-stream/xstream/commit/5b5cd6d8137f645c5d57b648afb1a305967aa7f
https://github.com/x-stream/xstream/commit/696ec886a23dae880cf12e34e1fe09c5df8fe94
https://github.com/x-stream/xstream/commit/7c77ac0397a1f93c69d2776a13c31957f55d1647
https://github.com/x-stream/xstream/commit/806949e1b3c22a3b31819a37402489a0303221a
https://github.com/x-stream/xstream/commit/87172cfc1dd7f8f6e137963c778b03efd14ac446
https://github.com/x-stream/xstream/commit/c9b121a88664988ccbabd83fa27bfc2a5e0bd139
https://github.com/x-stream/xstream/commit/e4f1457e681e015be83c6b0b84947676980e29d
https://github.com/x-stream/xstream/issues/25
https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
http://www.debian.org/security/2016/dsa-3575
http://www.openwall.com/lists/oss-security/2016/03/25/8
http://www.openwall.com/lists/oss-security/2016/03/28/1
http://www.securityfocus.com/bid/85381
http://www.securitytracker.com/id/1036419
http://x-stream.github.io/changes.html#1.4.9
1321789 https://bugzilla.redhat.com/show_bug.cgi?id=1321789
819455 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819455
CVE-2016-3674 https://nvd.nist.gov/vuln/detail/CVE-2016-3674
GHSA-rgh3-987h-wpmw https://github.com/advisories/GHSA-rgh3-987h-wpmw
RHSA-2016:2822 https://access.redhat.com/errata/RHSA-2016:2822
RHSA-2016:2823 https://access.redhat.com/errata/RHSA-2016:2823
USN-6978-1 https://usn.ubuntu.com/6978-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://rhn.redhat.com/errata/RHSA-2016-2822.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://rhn.redhat.com/errata/RHSA-2016-2823.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3674.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/x-stream/xstream
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/x-stream/xstream/issues/25
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-3674
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.debian.org/security/2016/dsa-3575
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2016/03/25/8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2016/03/28/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.securityfocus.com/bid/85381
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.securitytracker.com/id/1036419
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://x-stream.github.io/changes.html#1.4.9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.89008
EPSS Score 0.04224
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:20:04.708655+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 38.6.0