PatchSiren cyber security CVE debrief

CVE-2016-10127 Pysaml2 Project CVE debrief

CVE-2016-10127 is a critical XML external entity (XXE) issue in PySAML2. A crafted SAML XML request or response can trigger unsafe XML parsing, which may expose sensitive data or otherwise affect confidentiality, integrity, and availability. The NVD record rates the issue 9.0/CRITICAL and maps it to CWE-611.

Vendor: Pysaml2 Project
Product: CVE-2016-10127
CVSS: CRITICAL 9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

Organizations running PySAML2 in SAML identity provider or service provider roles, especially teams responsible for federation endpoints, XML parsing, and application security. Security operations and vulnerability management teams should also prioritize this finding because it is network-reachable in the NVD scoring and carries high impact.

Technical summary

The supplied NVD record identifies CVE-2016-10127 as CWE-611 (XXE) in PySAML2, with the attack vector described as network-based and the CVSS v3.0 vector showing low privileges and user interaction requirements. The vulnerability is triggered by crafted SAML XML request or response content that can cause external entity resolution during parsing. Supplied references include an upstream patch commit, issue tracker entries, and third-party advisories.

Defensive priority

Immediate

Recommended defensive actions

Identify all deployments that use PySAML2 and confirm whether they are exposed to untrusted SAML traffic.
Apply the upstream fix referenced by the supplied GitHub patch commit and ensure your packaged release includes that remediation.
Review XML parser settings and disable external entity processing where applicable, even if the library patch is already applied.
Test SAML endpoints in a controlled environment to confirm that entity expansion and external resource resolution are not possible.
Prioritize remediation on internet-facing identity and federation services using PySAML2.
Track downstream distribution advisories or package updates that incorporate the upstream patch.

Evidence notes

The supplied official NVD record lists CVE-2016-10127 as CWE-611 with CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H and identifies the vulnerable CPE as pysaml2_project:pysaml2. Supporting references in the corpus include the upstream GitHub commit, issue #366, pull request #379, and OSS-security/Debian advisories. The CVE publication date supplied is 2017-03-03; references in the corpus show vulnerability discussion and patch activity before that date.

Official resources

CVE-2016-10127 CVE record
CVE.org
CVE-2016-10127 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected] - VDB Entry
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch

Publicly disclosed CVE with NVD publication date 2017-03-03. The supplied reference corpus shows advisory and patch discussion in January 2017, but the CVE date of record is the publishedAt timestamp provided here.