VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 17 of 35
  • CVE-2024-8602MedOct 14, 2024
    risk 0.41cvss epss 0.00

    When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Further information on this can be found on the website of the Open Worldwide Application Security…

  • CVE-2023-49234MedMar 29, 2024
    risk 0.41cvss 6.3epss 0.00

    An XML external entity (XXE) vulnerability was found in Stilog Visual Planning 8. It allows an authenticated attacker to access local server files and exfiltrate data to an external server.

  • CVE-2018-8533MedOct 10, 2018
    risk 0.41cvss 5.5epss 0.23

    An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server…

  • CVE-2018-8532MedOct 10, 2018
    risk 0.41cvss 5.5epss 0.23

    An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server…

  • CVE-2018-8527MedOct 10, 2018
    risk 0.41cvss 5.5epss 0.23

    An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server…

  • CVE-2020-37192MedFeb 11, 2026
    risk 0.40cvss 6.2epss 0.00

    MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. Attackers can exploit the 'Favorites' tab by injecting a malicious XML file that references external entities to…

  • CVE-2026-42212HigMay 8, 2026
    risk 0.39cvss epss 0.00

    SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the…

  • CVE-2015-3542higNov 7, 2024
    risk 0.39cvss epss 0.00

    PHPExcel XXE Vulnerability

  • CVE-2018-10832MedMay 11, 2018
    risk 0.39cvss 5.5epss 0.06

    ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in…

  • CVE-2017-8918MedSep 12, 2017
    risk 0.39cvss 5.5epss 0.02

    XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.

  • CVE-2017-9095MedSep 8, 2017
    risk 0.39cvss 5.5epss 0.04

    XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import.

  • CVE-2016-6805MedApr 7, 2017
    risk 0.39cvss 5.9epss 0.02

    Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents.

  • CVE-2011-4107MedNov 17, 2011
    risk 0.39cvss 6.5epss 0.13

    The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external…

  • CVE-2026-40991MedJun 10, 2026
    risk 0.38cvss 5.9epss 0.00

    When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating…

  • CVE-2026-46722MedMay 19, 2026
    risk 0.38cvss epss 0.00

    The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search…

  • CVE-2025-54992MedAug 11, 2025
    risk 0.38cvss epss 0.00

    OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the…

  • CVE-2025-53621MedJul 15, 2025
    risk 0.38cvss 6.9epss 0.00

    DSpace open source software is a repository application which provides durable access to digital resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing…

  • CVE-2025-6438MedJul 11, 2025
    risk 0.38cvss epss 0.00

    A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access when the server is accessed via the network using an application…

  • CVE-2025-49493MedJun 30, 2025
    risk 0.38cvss 5.8epss 0.03

    Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.

  • CVE-2024-28039MedMar 18, 2024
    risk 0.38cvss 5.8epss 0.01

    Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.