CWE-611
Improper Restriction of XML External Entity Reference
BaseDraft
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (268)
page 4 of 14| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-1000021 | Hig | 0.57 | 8.8 | 0.01 | Jul 17, 2017 | LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents. | |
| CVE-2017-8913 | Hig | 0.57 | 8.8 | 0.01 | May 23, 2017 | The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | |
| CVE-2010-3322 | Hig | 0.57 | 8.8 | 0.01 | Sep 14, 2010 | The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors. | |
| CVE-2025-32406 | Hig | 0.56 | 8.6 | 0.00 | Apr 8, 2025 | An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 before 11.0.2 allows remote attackers fetch and parse the XML response. | |
| CVE-2016-9691 | Hig | 0.56 | 8.6 | 0.00 | May 5, 2017 | IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515. | |
| CVE-2016-7051 | Hig | 0.56 | 8.6 | 0.01 | Apr 14, 2017 | XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. | |
| CVE-2025-7766 | Hig | 0.55 | 8.0 | 0.00 | Jul 22, 2025 | Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed. | |
| CVE-2012-4399 | Hig | 0.54 | 7.5 | 0.25 | Oct 9, 2012 | The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack. | |
| CVE-2026-41936 | Hig | 0.53 | 8.1 | 0.00 | May 6, 2026 | Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation. | |
| CVE-2025-61813 | Hig | 0.53 | 8.2 | 0.00 | Dec 10, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed. | |
| CVE-2025-4044 | Hig | 0.53 | 8.2 | 0.00 | Aug 19, 2025 | Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL. | |
| CVE-2025-4641 | Cri | 0.53 | — | 0.01 | May 14, 2025 | Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.0.2. | |
| CVE-2017-1477 | Hig | 0.53 | 8.1 | 0.01 | Nov 13, 2017 | IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128612. | |
| CVE-2017-1527 | Hig | 0.53 | 8.1 | 0.01 | Sep 26, 2017 | IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 130156. | |
| CVE-2017-1458 | Hig | 0.53 | 8.1 | 0.01 | Sep 5, 2017 | IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128377. | |
| CVE-2017-12069 | Hig | 0.53 | 8.2 | 0.01 | Aug 30, 2017 | An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions < V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions < V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker. | |
| CVE-2017-1192 | Hig | 0.53 | 8.2 | 0.01 | Aug 10, 2017 | IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663. | |
| CVE-2017-1322 | Hig | 0.53 | 8.2 | 0.01 | Jun 27, 2017 | IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125918. | |
| CVE-2016-9698 | Hig | 0.53 | 8.1 | 0.01 | Jun 8, 2017 | IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960. | |
| CVE-2017-1289 | Hig | 0.53 | 8.2 | 0.01 | May 22, 2017 | IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. |