CVE-2023-26119: 
Java vulnerability analysis and mitigation

CVE-2023-26119 affects net.sourceforge.htmlunit:htmlunit versions from 0 up to and before 3.0.0. The vulnerability allows Remote Code Execution (RCE) via XSLT when browsing an attacker's webpage. The issue was disclosed on January 29, 2023, and published on April 2, 2023 (Snyk Advisory).

The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is remotely exploitable without requiring authentication or user interaction. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction to exploit. The scope is unchanged, but the impact is high for confidentiality, integrity, and availability (Snyk Advisory).

A successful exploitation of this vulnerability can result in total loss of confidentiality, integrity, and availability of the affected system. The attacker can gain complete control over the system resources, potentially leading to unauthorized access, data manipulation, and system disruption (Snyk Advisory).

Users are advised to upgrade to org.htmlunit:htmlunit component v3.0.0 or later, which contains a fix for this vulnerability. The fix was implemented by enabling FEATURE_SECURE_PROCESSING for the XSLT processor (GitHub Commit).