VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 15 of 35
  • CVE-2025-6985HigOct 6, 2025
    risk 0.42cvss 7.5epss 0.01

    The HTMLSectionSplitter class in langchain-text-splitters version 0.3.8 is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing. This vulnerability arises because the class allows the use of arbitrary XSLT stylesheets, which are parsed using…

  • CVE-2025-6984HigSep 4, 2025
    risk 0.42cvss 7.5epss 0.02

    The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external…

  • CVE-2025-52162MedJul 18, 2025
    risk 0.42cvss 6.5epss 0.00

    agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain an XML External Entity (XXE) via the RSSReader endpoint. This vulnerability allows attackers to access sensitive data via providing a crafted XML input.

  • CVE-2025-52888HigJun 24, 2025
    risk 0.42cvss 7.5epss 0.00

    Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser…

  • CVE-2025-31497HigApr 15, 2025
    risk 0.42cvss 7.5epss 0.00

    TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity (XXE) Injection vulnerability in its document conversion functionality. The…

  • CVE-2024-5625MedJul 18, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup. This issue affects Apinizer Management Console: before 2024.05.1.

  • CVE-2024-38374HigJun 28, 2024
    risk 0.42cvss 7.5epss 0.01

    The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the…

  • CVE-2021-47621HigJun 21, 2024
    risk 0.42cvss 7.5epss 0.01

    ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

  • CVE-2018-12471MedOct 4, 2018
    risk 0.42cvss 6.5epss 0.02

    A External Entity Reference ('XXE') vulnerability in SUSE Linux SMT allows remote attackers to read data from the server or cause DoS by referencing blocking elements. Affected releases are SUSE Linux SMT: versions prior to 3.0.37.

  • CVE-2018-5433MedJun 13, 2018
    risk 0.42cvss 6.5epss 0.01

    The TIBCO Administrator server component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to…

  • CVE-2018-1000198MedJun 5, 2018
    risk 0.42cvss 6.5epss 0.01

    A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document.

  • CVE-2018-10175MedApr 20, 2018
    risk 0.42cvss 6.5epss 0.01

    Digital Guardian Management Console 7.1.2.0015 has an XXE issue.

  • CVE-2015-7461MedMar 20, 2018
    risk 0.42cvss 6.5epss 0.01

    XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote authenticated users to cause a denial of service (memory consumption) via crafted XML data. IBM X-Force ID: 108357.

  • CVE-2018-3600MedFeb 9, 2018
    risk 0.42cvss 6.5epss 0.02

    A external entity processing information disclosure (XXE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to disclose sensitive information on vulnerable installations.

  • CVE-2017-14699MedJan 29, 2018
    risk 0.42cvss 6.5epss 0.01

    Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow…

  • CVE-2016-0219MedJan 16, 2018
    risk 0.42cvss 6.5epss 0.01

    XML external entity (XXE) vulnerability in IBM Rational Team Concert 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote authenticated users to cause a denial of service via crafted XML data. IBM…

  • CVE-2017-14949HigNov 30, 2017
    risk 0.42cvss 7.5epss 0.02

    Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to…

  • CVE-2017-12623MedOct 10, 2017
    risk 0.42cvss 6.5epss 0.02

    An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should…

  • CVE-2017-8040MedSep 9, 2017
    risk 0.42cvss 6.5epss 0.01

    In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, an XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard. Privileged users can in some cases upload malformed XML leading to…

  • CVE-2016-8739HigAug 10, 2017
    risk 0.42cvss 7.5epss 0.07

    The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.