CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 5 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-38429 | Cri | 0.57 | 9.8 | 0.00 | May 5, 2026 | OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml. | ||
| CVE-2026-36765 | Hig | 0.57 | 8.8 | 0.00 | Apr 30, 2026 | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. | ||
| CVE-2023-7307 | Hig | 0.57 | — | 0.00 | Aug 27, 2025 | Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data… | ||
| CVE-2025-27523 | Hig | 0.57 | 8.7 | 0.00 | May 15, 2025 | XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06. | ||
| CVE-2025-4639 | Hig | 0.57 | — | 0.00 | May 14, 2025 | CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos. This issue affects Peergos through version 1.1.0. | ||
| CVE-2023-38693 | Cri | 0.57 | 9.8 | 0.01 | Mar 5, 2025 | Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and… | ||
| CVE-2024-55875 | Cri | 0.57 | 9.8 | 0.02 | Dec 12, 2024 | http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive… | ||
| CVE-2024-46455 | Cri | 0.57 | 9.8 | 0.01 | Dec 9, 2024 | unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. | ||
| CVE-2024-51132 | Cri | 0.57 | 9.8 | 0.02 | Nov 5, 2024 | An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. | ||
| CVE-2022-0239 | Cri | 0.57 | 9.8 | 0.01 | Jan 17, 2022 | corenlp is vulnerable to Improper Restriction of XML External Entity Reference | ||
| CVE-2018-10614 | — | Hig | 0.57 | 8.8 | 0.01 | Oct 9, 2018 | An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files. | |
| CVE-2018-12243 | Hig | 0.57 | 8.8 | 0.01 | Sep 19, 2018 | The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI… | ||
| CVE-2018-8027 | Cri | 0.57 | 9.8 | 0.06 | Jul 31, 2018 | Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor. | ||
| CVE-2017-7464 | — | Hig | 0.57 | 8.7 | 0.02 | Jul 27, 2018 | It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing. | |
| CVE-2014-2296 | Hig | 0.57 | 8.8 | 0.02 | Jul 20, 2018 | XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. | ||
| CVE-2018-14065 | — | Cri | 0.57 | 9.8 | 0.02 | Jul 15, 2018 | XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. | |
| CVE-2018-1309 | Cri | 0.57 | 9.8 | 0.05 | May 23, 2018 | Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release.… | ||
| CVE-2014-3990 | Cri | 0.57 | 9.8 | 0.07 | Mar 20, 2018 | The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP… | ||
| CVE-2018-7230 | Hig | 0.57 | 8.8 | 0.02 | Mar 9, 2018 | A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67. | ||
| CVE-2017-18197 | — | Cri | 0.57 | 9.8 | 0.03 | Feb 24, 2018 | In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView. |
- risk 0.57cvss 9.8epss 0.00
OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.
- risk 0.57cvss 8.8epss 0.00
An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload.
- risk 0.57cvss —epss 0.00
Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data…
- risk 0.57cvss 8.7epss 0.00
XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.
- risk 0.57cvss —epss 0.00
CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos. This issue affects Peergos through version 1.1.0.
- risk 0.57cvss 9.8epss 0.01
Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and…
- risk 0.57cvss 9.8epss 0.02
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive…
- risk 0.57cvss 9.8epss 0.01
unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.
- risk 0.57cvss 9.8epss 0.02
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
- risk 0.57cvss 9.8epss 0.01
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
- risk 0.57cvss 8.8epss 0.01
An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files.
- risk 0.57cvss 8.8epss 0.01
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI…
- risk 0.57cvss 9.8epss 0.06
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
- risk 0.57cvss 8.7epss 0.02
It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.
- risk 0.57cvss 8.8epss 0.02
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.
- risk 0.57cvss 9.8epss 0.02
XMLReader.php in PHPOffice Common before 0.2.9 allows XXE.
- risk 0.57cvss 9.8epss 0.05
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release.…
- risk 0.57cvss 9.8epss 0.07
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP…
- risk 0.57cvss 8.8epss 0.02
A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.
- risk 0.57cvss 9.8epss 0.03
In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.