VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 14 of 35
  • CVE-2016-9181HigDec 22, 2016
    risk 0.46cvss 7.1epss 0.01

    perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.

  • CVE-2016-5971HigSep 26, 2016
    risk 0.46cvss 7.1epss 0.01

    IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with…

  • CVE-2025-34142MedJul 22, 2025
    risk 0.45cvss epss 0.01

    An XML External Entity (XXE) injection vulnerability exists in ETQ Reliance on the CG (legacy) platform within the `/resources/sessions/sso` endpoint. The SAML authentication handler processes XML input without disabling external entity resolution, allowing crafted SAML…

  • CVE-2025-4338MedMay 22, 2025
    risk 0.44cvss 6.8epss 0.00

    Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host…

  • CVE-2025-25036MedMar 21, 2025
    risk 0.44cvss 6.8epss 0.00

    Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).

  • CVE-2025-32138MedApr 4, 2025
    risk 0.43cvss 6.6epss 0.00

    Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through <= 1.11.18.

  • CVE-2025-31487HigApr 3, 2025
    risk 0.43cvss 7.7epss 0.00

    The XWiki JIRA extension provides various integration points between XWiki and JIRA (macros, UI, CKEditor plugin). If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns…

  • CVE-2017-15691MedApr 26, 2018
    risk 0.43cvss 6.5epss 0.09

    In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers.…

  • CVE-2018-1308HigApr 9, 2018
    risk 0.43cvss 7.5epss 0.21

    This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files…

  • CVE-2018-5758MedMar 12, 2018
    risk 0.43cvss 6.5epss 0.03

    The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0.2.1 On-Premises allows for an XML External Entity attack through a crafted file, allowing attackers to read arbitrary files.

  • CVE-2017-0170MedJul 11, 2017
    risk 0.43cvss 6.5epss 0.07

    Windows Performance Monitor in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability due to the way it parses XML…

  • CVE-2017-7907MedMay 19, 2017
    risk 0.43cvss 6.6epss 0.00

    An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious…

  • CVE-2026-39053MedMay 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to…

  • CVE-2026-41895HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading,…

  • CVE-2023-42344HigMay 8, 2026
    risk 0.42cvss 7.3epss 0.02

    Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

  • CVE-2026-41066HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to…

  • CVE-2026-40882HigApr 22, 2026
    risk 0.42cvss 7.6epss 0.00

    OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which…

  • CVE-2026-26171HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.02

    Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.

  • CVE-2025-14478HigJan 17, 2026
    risk 0.42cvss 7.5epss 0.00

    The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve…

  • CVE-2025-64518HigNov 10, 2025
    risk 0.42cvss 7.5epss 0.00

    The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely,…