VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 5 of 35
  • CVE-2026-38429CriMay 5, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

  • CVE-2026-36765HigApr 30, 2026
    risk 0.57cvss 8.8epss 0.00

    An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload.

  • CVE-2023-7307HigAug 27, 2025
    risk 0.57cvss epss 0.00

    Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data…

  • CVE-2025-27523HigMay 15, 2025
    risk 0.57cvss 8.7epss 0.00

    XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.

  • CVE-2025-4639HigMay 14, 2025
    risk 0.57cvss epss 0.00

    CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos. This issue affects Peergos through version 1.1.0.

  • CVE-2023-38693CriMar 5, 2025
    risk 0.57cvss 9.8epss 0.01

    Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and…

  • CVE-2024-55875CriDec 12, 2024
    risk 0.57cvss 9.8epss 0.02

    http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive…

  • CVE-2024-46455CriDec 9, 2024
    risk 0.57cvss 9.8epss 0.01

    unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.

  • CVE-2024-51132CriNov 5, 2024
    risk 0.57cvss 9.8epss 0.02

    An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.

  • CVE-2022-0239CriJan 17, 2022
    risk 0.57cvss 9.8epss 0.01

    corenlp is vulnerable to Improper Restriction of XML External Entity Reference

  • CVE-2018-10614HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.01

    An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files.

  • CVE-2018-12243HigSep 19, 2018
    risk 0.57cvss 8.8epss 0.01

    The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI…

  • CVE-2018-8027CriJul 31, 2018
    risk 0.57cvss 9.8epss 0.06

    Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

  • CVE-2017-7464HigJul 27, 2018
    risk 0.57cvss 8.7epss 0.02

    It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.

  • CVE-2014-2296HigJul 20, 2018
    risk 0.57cvss 8.8epss 0.02

    XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.

  • CVE-2018-14065CriJul 15, 2018
    risk 0.57cvss 9.8epss 0.02

    XMLReader.php in PHPOffice Common before 0.2.9 allows XXE.

  • CVE-2018-1309CriMay 23, 2018
    risk 0.57cvss 9.8epss 0.05

    Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release.…

  • CVE-2014-3990CriMar 20, 2018
    risk 0.57cvss 9.8epss 0.07

    The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP…

  • CVE-2018-7230HigMar 9, 2018
    risk 0.57cvss 8.8epss 0.02

    A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.

  • CVE-2017-18197CriFeb 24, 2018
    risk 0.57cvss 9.8epss 0.03

    In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.