Search for vulnerabilities
Vulnerability details: VCID-n13q-cuhb-27g2
Vulnerability ID VCID-n13q-cuhb-27g2
Aliases CVE-2015-8806
GHSA-7hp2-xwpj-95jq
Summary Denial of service or RCE from libxml2 and libxslt Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks. For more information, the Ubuntu Security Notice is a good start: http://www.ubuntu.com/usn/usn-2994-1/
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-125 Out-of-bounds Read
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-122 Heap-based Buffer Overflow
System Score Found at
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
epss 0.08565 https://api.first.org/data/v1/epss?cve=CVE-2015-8806
cvssv3.1 7.5 https://bugzilla.gnome.org/show_bug.cgi?id=749115
generic_textual HIGH https://bugzilla.gnome.org/show_bug.cgi?id=749115
cvssv2 4.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-7hp2-xwpj-95jq
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml
cvssv3.1 7.5 https://github.com/sparklemotion/nokogiri
generic_textual HIGH https://github.com/sparklemotion/nokogiri
cvssv3 7.5 https://github.com/sparklemotion/nokogiri/issues/1473
cvssv3.1 7.5 https://github.com/sparklemotion/nokogiri/issues/1473
generic_textual HIGH https://github.com/sparklemotion/nokogiri/issues/1473
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2015-8806
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2015-8806
cvssv3.1 7.5 https://security.gentoo.org/glsa/201701-37
generic_textual HIGH https://security.gentoo.org/glsa/201701-37
cvssv3.1 7.5 https://web.archive.org/web/20160928171015/http://www.securityfocus.com/bid/82071
generic_textual HIGH https://web.archive.org/web/20160928171015/http://www.securityfocus.com/bid/82071
cvssv3.1 7.5 https://www.debian.org/security/2016/dsa-3593
generic_textual HIGH https://www.debian.org/security/2016/dsa-3593
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2016/02/03/5
generic_textual HIGH http://www.openwall.com/lists/oss-security/2016/02/03/5
cvssv3.1 7.5 http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
generic_textual HIGH http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
cvssv3.1 7.5 http://www.ubuntu.com/usn/USN-2994-1
generic_textual HIGH http://www.ubuntu.com/usn/USN-2994-1
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-8806.json
https://api.first.org/data/v1/epss?cve=CVE-2015-8806
https://bugzilla.gnome.org/show_bug.cgi?id=749115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml
https://github.com/sparklemotion/nokogiri
https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028
https://github.com/sparklemotion/nokogiri/issues/1473
https://mail.gnome.org/archives/xml/2016-May/msg00023.html
https://nvd.nist.gov/vuln/detail/CVE-2015-8806
https://security.gentoo.org/glsa/201701-37
https://web.archive.org/web/20160928171015/http://www.securityfocus.com/bid/82071
https://www.debian.org/security/2016/dsa-3593
http://www.openwall.com/lists/oss-security/2016/02/03/5
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.ubuntu.com/usn/usn-2994-1/
http://www.ubuntu.com/usn/USN-2994-1
1304636 https://bugzilla.redhat.com/show_bug.cgi?id=1304636
813613 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813613
GHSA-7hp2-xwpj-95jq https://github.com/advisories/GHSA-7hp2-xwpj-95jq
USN-2994-1 https://usn.ubuntu.com/2994-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://bugzilla.gnome.org/show_bug.cgi?id=749115
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/sparklemotion/nokogiri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/sparklemotion/nokogiri/issues/1473
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2015-8806
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.gentoo.org/glsa/201701-37
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://web.archive.org/web/20160928171015/http://www.securityfocus.com/bid/82071
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.debian.org/security/2016/dsa-3593
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2016/02/03/5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.ubuntu.com/usn/USN-2994-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.92011
EPSS Score 0.08565
Published At Aug. 8, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:56.233759+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-8806.yml 37.0.0