CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 21 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-40075 | Med | 0.28 | 4.3 | 0.01 | Jul 22, 2024 | Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability. | ||
| CVE-2016-0268 | Med | 0.28 | 4.3 | 0.01 | Mar 9, 2018 | XML external entity (XXE) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial… | ||
| CVE-2017-10889 | Med | 0.28 | 4.3 | 0.01 | Nov 17, 2017 | TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors. | ||
| CVE-2015-3160 | Med | 0.28 | 4.3 | 0.01 | Sep 6, 2017 | XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system. | ||
| CVE-2017-3839 | Med | 0.28 | 4.3 | 0.02 | Feb 22, 2017 | An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known… | ||
| CVE-2016-4047 | Med | 0.28 | 4.3 | 0.01 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As… | ||
| CVE-2026-33737 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | ||
| CVE-2026-28809 | Med | 0.27 | 5.3 | 0.00 | Mar 23, 2026 | XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled… | ||
| CVE-2025-35112 | Med | 0.27 | 4.1 | 0.00 | Aug 26, 2025 | Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31. | ||
| CVE-2024-58335 | Med | 0.26 | 5.0 | 0.00 | Dec 24, 2025 | OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java. | ||
| CVE-2025-66371 | Med | 0.26 | 5.0 | 0.00 | Nov 28, 2025 | Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. | ||
| CVE-2025-68463 | Med | 0.25 | 4.9 | 0.00 | Dec 18, 2025 | Bio.Entrez in Biopython through 186 allows doctype XXE. | ||
| CVE-2018-16252 | Low | 0.25 | 3.3 | 0.03 | Sep 5, 2018 | FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection. | ||
| CVE-2018-0878 | Low | 0.25 | 3.1 | 0.22 | Mar 14, 2018 | Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure… | ||
| CVE-2024-8010 | — | Low | 0.23 | 3.5 | 0.00 | Apr 16, 2026 | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read… | |
| CVE-2025-58360 | 0.22 | — | 0.67 | KEV | Nov 25, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms… | ||
| CVE-2018-0218 | Low | 0.22 | 3.3 | 0.02 | Mar 8, 2018 | A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML… | ||
| CVE-2018-0207 | Low | 0.22 | 3.3 | 0.02 | Mar 8, 2018 | A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML… | ||
| CVE-2026-49383 | Low | 0.21 | 3.3 | 0.00 | May 29, 2026 | In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible | ||
| CVE-2023-46035 | med | 0.19 | — | 0.01 | Oct 20, 2023 | An issue in Fnando svg_optimizer v.0.2.6 allows a remote attacker to escalate privileges when optimizing untrusted SVG content. |
- risk 0.28cvss 4.3epss 0.01
Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability.
- risk 0.28cvss 4.3epss 0.01
XML external entity (XXE) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial…
- risk 0.28cvss 4.3epss 0.01
TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.
- risk 0.28cvss 4.3epss 0.01
XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system.
- risk 0.28cvss 4.3epss 0.02
An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known…
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As…
- risk 0.27cvss 5.3epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
- risk 0.27cvss 5.3epss 0.00
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled…
- risk 0.27cvss 4.1epss 0.00
Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31.
- risk 0.26cvss 5.0epss 0.00
OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.
- risk 0.26cvss 5.0epss 0.00
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.
- risk 0.25cvss 4.9epss 0.00
Bio.Entrez in Biopython through 186 allows doctype XXE.
- risk 0.25cvss 3.3epss 0.03
FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection.
- risk 0.25cvss 3.1epss 0.22
Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure…
- risk 0.23cvss 3.5epss 0.00
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read…
- risk 0.22cvss —epss 0.67
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms…
- risk 0.22cvss 3.3epss 0.02
A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML…
- risk 0.22cvss 3.3epss 0.02
A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML…
- risk 0.21cvss 3.3epss 0.00
In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
- risk 0.19cvss —epss 0.01
An issue in Fnando svg_optimizer v.0.2.6 allows a remote attacker to escalate privileges when optimizing untrusted SVG content.