CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Description
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-197
CVEs mapped to this weakness (58)
page 2 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44018 | 0.00 | — | 0.00 | Jun 3, 2026 | ### Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space -… | |||
| CVE-2026-33036 | 0.00 | — | 0.01 | Mar 20, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity… | |||
| CVE-2026-29074 | — | 0.00 | — | 0.00 | Mar 6, 2026 | SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards… | ||
| CVE-2026-26278 | 0.00 | — | 0.01 | Feb 19, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML… | |||
| CVE-2025-58767 | — | 0.00 | — | 0.00 | Sep 17, 2025 | REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches… | ||
| CVE-2025-3225 | 0.00 | — | 0.00 | Jul 7, 2025 | An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a… | |||
| CVE-2024-43398 | — | 0.00 | — | 0.01 | Aug 22, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to… | ||
| CVE-2024-37388 | 0.00 | — | 0.01 | Jun 7, 2024 | An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input. | |||
| CVE-2024-36827 | — | 0.00 | — | 0.01 | Jun 7, 2024 | An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input. | ||
| CVE-2024-1455 | 0.00 | — | 0.01 | Mar 26, 2024 | A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory… | |||
| CVE-2023-49735 | — | 0.00 | — | 0.01 | Nov 30, 2023 | ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key.… | ||
| CVE-2023-28118 | 0.00 | — | 0.01 | Mar 20, 2023 | kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents… | |||
| CVE-2023-24443 | 0.00 | — | 0.01 | Jan 24, 2023 | Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2023-24441 | 0.00 | — | 0.01 | Jan 24, 2023 | Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2022-25857 | — | 0.00 | — | 0.02 | Aug 30, 2022 | The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | ||
| CVE-2022-33977 | — | 0.00 | — | 0.01 | Jul 26, 2022 | untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on… | ||
| CVE-2021-41559 | — | 0.00 | — | 0.01 | Jun 28, 2022 | Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. | ||
| CVE-2022-26662 | — | 0.00 | — | 0.02 | Mar 7, 2022 | An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x… | ||
| CVE-2022-23640 | 0.00 | — | 0.01 | Mar 2, 2022 | Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a… | |||
| CVE-2021-25951 | — | 0.00 | — | 0.01 | Jun 30, 2021 | XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. |
- CVE-2026-44018Jun 3, 2026risk 0.00cvss —epss 0.00
### Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space -…
- CVE-2026-33036Mar 20, 2026risk 0.00cvss —epss 0.01
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity…
- CVE-2026-29074Mar 6, 2026risk 0.00cvss —epss 0.00
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards…
- CVE-2026-26278Feb 19, 2026risk 0.00cvss —epss 0.01
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML…
- CVE-2025-58767Sep 17, 2025risk 0.00cvss —epss 0.00
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches…
- CVE-2025-3225Jul 7, 2025risk 0.00cvss —epss 0.00
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a…
- CVE-2024-43398Aug 22, 2024risk 0.00cvss —epss 0.01
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to…
- CVE-2024-37388Jun 7, 2024risk 0.00cvss —epss 0.01
An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.
- CVE-2024-36827Jun 7, 2024risk 0.00cvss —epss 0.01
An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.
- CVE-2024-1455Mar 26, 2024risk 0.00cvss —epss 0.01
A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory…
- CVE-2023-49735Nov 30, 2023risk 0.00cvss —epss 0.01
** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key.…
- CVE-2023-28118Mar 20, 2023risk 0.00cvss —epss 0.01
kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents…
- CVE-2023-24443Jan 24, 2023risk 0.00cvss —epss 0.01
Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2023-24441Jan 24, 2023risk 0.00cvss —epss 0.01
Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2022-25857Aug 30, 2022risk 0.00cvss —epss 0.02
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- CVE-2022-33977Jul 26, 2022risk 0.00cvss —epss 0.01
untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on…
- CVE-2021-41559Jun 28, 2022risk 0.00cvss —epss 0.01
Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.
- CVE-2022-26662Mar 7, 2022risk 0.00cvss —epss 0.02
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x…
- CVE-2022-23640Mar 2, 2022risk 0.00cvss —epss 0.01
Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a…
- CVE-2021-25951Jun 30, 2021risk 0.00cvss —epss 0.01
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.