CWE-611
Improper Restriction of XML External Entity Reference
BaseDraft
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (268)
page 13 of 14| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-6961 | Med | 0.31 | 5.9 | 0.00 | Jul 21, 2024 | RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity. | |
| CVE-2024-9044 | Med | 0.30 | — | 0.00 | Nov 29, 2024 | A XML External Entity (XXE) vulnerability has been identified in Easy Tax Client Software 2023 1.2 and earlier across multiple platforms, including Windows, Linux, and macOS. | |
| CVE-2025-27136 | Med | 0.29 | — | 0.00 | Mar 10, 2025 | LocalS3 is an Amazon S3 mock service for testing and local development. Prior to version 1.21, the LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service's XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML. The vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document. This vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability. | |
| CVE-2017-15280 | Med | 0.29 | 5.5 | 0.00 | Oct 12, 2017 | XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs. | |
| CVE-2026-33371 | Med | 0.28 | 4.3 | 0.00 | Mar 20, 2026 | An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server. | |
| CVE-2024-25066 | Med | 0.28 | 4.3 | 0.00 | Feb 17, 2025 | RSA Authentication Manager before 8.7 SP2 Patch 1 allows XML External Entity (XXE) attacks via a license file, resulting in attacker-controlled files being stored on the product's server. Data exfiltration cannot occur. | |
| CVE-2024-40075 | Med | 0.28 | 4.3 | 0.00 | Jul 22, 2024 | Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability. | |
| CVE-2017-10889 | Med | 0.28 | 4.3 | 0.00 | Nov 17, 2017 | TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors. | |
| CVE-2015-3160 | Med | 0.28 | 4.3 | 0.00 | Sep 6, 2017 | XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system. | |
| CVE-2017-3839 | Med | 0.28 | 4.3 | 0.00 | Feb 22, 2017 | An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5). | |
| CVE-2016-4047 | Med | 0.28 | 4.3 | 0.00 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. | |
| CVE-2026-33737 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | |
| CVE-2025-35112 | Med | 0.27 | 4.1 | 0.00 | Aug 26, 2025 | Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31. | |
| CVE-2024-58335 | Med | 0.26 | 5.0 | 0.00 | Dec 24, 2025 | OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java. | |
| CVE-2025-66371 | Med | 0.26 | 5.0 | 0.00 | Nov 28, 2025 | Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. | |
| CVE-2025-68463 | Med | 0.25 | 4.9 | 0.00 | Dec 18, 2025 | Bio.Entrez in Biopython through 186 allows doctype XXE. | |
| CVE-2024-8010 | Low | 0.23 | 3.5 | 0.00 | Apr 16, 2026 | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. | |
| CVE-2024-42185 | Low | 0.16 | 2.5 | 0.00 | Jan 23, 2025 | BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks. This allows an attacker to exploit this vulnerability by injecting malicious XML content, which can lead to various issues including denial of service and unauthorized access. | |
| CVE-2024-52800 | Low | 0.16 | — | 0.12 | Nov 29, 2024 | veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available. | |
| CVE-2025-66372 | Low | 0.11 | 2.8 | 0.00 | Nov 28, 2025 | Mustang before 2.16.3 allows exfiltrating files via XXE attacks. |