From 287c4005766524cb2be5ddfb87d844ca815aa5a2 Mon Sep 17 00:00:00 2001 From: "Nithin S. Sabu" Date: Tue, 10 Feb 2026 14:14:47 +0100 Subject: [PATCH] docs: add security notice for CVE-2026-25128 --- docs/reference/notices.md | 28 +++++++++++++++++++ .../version-8.6/reference/notices.md | 28 +++++++++++++++++++ .../version-8.7/reference/notices.md | 28 +++++++++++++++++++ .../version-8.8/reference/notices.md | 28 +++++++++++++++++++ 4 files changed, 112 insertions(+) diff --git a/docs/reference/notices.md b/docs/reference/notices.md index acf85e9fa94..70e09819982 100644 --- a/docs/reference/notices.md +++ b/docs/reference/notices.md @@ -19,6 +19,34 @@ Report security vulnerabilities to Camunda immediately, following the instructio To learn more about security at Camunda, including our security policy, security issue management, and more, see [Camunda.com/security](https://camunda.com/security). ::: +## Notice 39 + +### Publication date + +Feb 10, 2026 + +### Products affected + +- Camunda Web Modeler + +### Impact + +The version of `fast-xml-parser` used by Camunda Web Modeler was affected by [CVE-2026-25128](https://nvd.nist.gov/vuln/detail/CVE-2026-25128), a RangeError vulnerability that could crash any application that processes untrusted XML input. + +### How to determine if the installation is affected + +You are using: + +- Web Modeler Self-Managed ≤ 8.8.6, ≤ 8.7.15, or ≤ 8.6.24 + +### Solution + +Camunda has provided the following releases that contain the fix: + +- Web Modeler Self-Managed 8.8.7, 8.7.16, 8.6.25 + +The fix was deployed to Web Modeler SaaS on February 2, 2026, 15:15 CET. + ## Notice 38 ### Publication date diff --git a/versioned_docs/version-8.6/reference/notices.md b/versioned_docs/version-8.6/reference/notices.md index a73517d3bce..2ffad668baf 100644 --- a/versioned_docs/version-8.6/reference/notices.md +++ b/versioned_docs/version-8.6/reference/notices.md @@ -19,6 +19,34 @@ Report security vulnerabilities to Camunda immediately, following the instructio To learn more about security at Camunda, including our security policy, security issue management, and more, see [Camunda.com/security](https://camunda.com/security). ::: +## Notice 39 + +### Publication date + +Feb 10, 2026 + +### Products affected + +- Camunda Web Modeler + +### Impact + +The version of `fast-xml-parser` used by Camunda Web Modeler was affected by [CVE-2026-25128](https://nvd.nist.gov/vuln/detail/CVE-2026-25128), a RangeError vulnerability that could crash any application that processes untrusted XML input. + +### How to determine if the installation is affected + +You are using: + +- Web Modeler Self-Managed ≤ 8.8.6, ≤ 8.7.15, or ≤ 8.6.24 + +### Solution + +Camunda has provided the following releases that contain the fix: + +- Web Modeler Self-Managed 8.8.7, 8.7.16, 8.6.25 + +The fix was deployed to Web Modeler SaaS on February 2, 2026, 15:15 CET. + ## Notice 38 ### Publication date diff --git a/versioned_docs/version-8.7/reference/notices.md b/versioned_docs/version-8.7/reference/notices.md index a73517d3bce..2ffad668baf 100644 --- a/versioned_docs/version-8.7/reference/notices.md +++ b/versioned_docs/version-8.7/reference/notices.md @@ -19,6 +19,34 @@ Report security vulnerabilities to Camunda immediately, following the instructio To learn more about security at Camunda, including our security policy, security issue management, and more, see [Camunda.com/security](https://camunda.com/security). ::: +## Notice 39 + +### Publication date + +Feb 10, 2026 + +### Products affected + +- Camunda Web Modeler + +### Impact + +The version of `fast-xml-parser` used by Camunda Web Modeler was affected by [CVE-2026-25128](https://nvd.nist.gov/vuln/detail/CVE-2026-25128), a RangeError vulnerability that could crash any application that processes untrusted XML input. + +### How to determine if the installation is affected + +You are using: + +- Web Modeler Self-Managed ≤ 8.8.6, ≤ 8.7.15, or ≤ 8.6.24 + +### Solution + +Camunda has provided the following releases that contain the fix: + +- Web Modeler Self-Managed 8.8.7, 8.7.16, 8.6.25 + +The fix was deployed to Web Modeler SaaS on February 2, 2026, 15:15 CET. + ## Notice 38 ### Publication date diff --git a/versioned_docs/version-8.8/reference/notices.md b/versioned_docs/version-8.8/reference/notices.md index acf85e9fa94..70e09819982 100644 --- a/versioned_docs/version-8.8/reference/notices.md +++ b/versioned_docs/version-8.8/reference/notices.md @@ -19,6 +19,34 @@ Report security vulnerabilities to Camunda immediately, following the instructio To learn more about security at Camunda, including our security policy, security issue management, and more, see [Camunda.com/security](https://camunda.com/security). ::: +## Notice 39 + +### Publication date + +Feb 10, 2026 + +### Products affected + +- Camunda Web Modeler + +### Impact + +The version of `fast-xml-parser` used by Camunda Web Modeler was affected by [CVE-2026-25128](https://nvd.nist.gov/vuln/detail/CVE-2026-25128), a RangeError vulnerability that could crash any application that processes untrusted XML input. + +### How to determine if the installation is affected + +You are using: + +- Web Modeler Self-Managed ≤ 8.8.6, ≤ 8.7.15, or ≤ 8.6.24 + +### Solution + +Camunda has provided the following releases that contain the fix: + +- Web Modeler Self-Managed 8.8.7, 8.7.16, 8.6.25 + +The fix was deployed to Web Modeler SaaS on February 2, 2026, 15:15 CET. + ## Notice 38 ### Publication date