VYPR

CWE-91

XML Injection (aka Blind XPath Injection)

BaseDraft

Description

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-250 · CAPEC-83

CVEs mapped to this weakness (64)

page 2 of 4
  • CVE-2026-32870HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,…

  • CVE-2026-34601HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA…

  • CVE-2018-1000632HigAug 20, 2018
    risk 0.42cvss 7.5epss 0.07

    dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker…

  • CVE-2018-1327HigMar 27, 2018
    risk 0.42cvss 7.5epss 0.09

    The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described…

  • CVE-2017-1000452HigJan 2, 2018
    risk 0.42cvss 7.5epss 0.01

    An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and earlier, and in predecessor Express-saml2 which could allow attackers to impersonate arbitrary users.

  • CVE-2016-5697HigJan 23, 2017
    risk 0.42cvss 7.5epss 0.01

    Ruby-saml before 1.3.0 allows attackers to perform XML signature wrapping attacks via unspecified vectors.

  • CVE-2024-13190MedJan 8, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability classified as critical was found in ZeroWdd myblog 1.0. This vulnerability affects unknown code of the file src/main/resources/mapper/BlogMapper.xml. The manipulation of the argument findBlogList/getTotalBlogs leads to xml injection. The attack can be initiated…

  • CVE-2026-44664MedMay 13, 2026
    risk 0.40cvss 6.1epss 0.00

    fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out…

  • CVE-2017-2171MedMay 22, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in Captcha prior to version 4.3.0, Car Rental prior to version 1.0.5, Contact Form Multi prior to version 1.2.1, Contact Form prior to version 4.0.6, Contact Form to DB prior to version 1.5.7, Custom Admin Page prior to version 0.1.2, Custom…

  • CVE-2026-47273MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query…

  • CVE-2016-2932MedNov 30, 2016
    risk 0.35cvss 5.3epss 0.01

    IBM BigFix Remote Control before 9.1.3 allows remote attackers to conduct XML injection attacks via unspecified vectors.

  • CVE-2025-47184MedAug 21, 2025
    risk 0.34cvss 5.3epss 0.00

    An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 before 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08 allows an authenticated, unprivileged attacker to achieve information disclosure and privilege escalation via a crafted ISys XML message.

  • CVE-2026-44665MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the…

  • CVE-2026-41650MedMay 7, 2026
    risk 0.33cvss 6.1epss 0.00

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This…

  • CVE-2026-53723MedJun 11, 2026
    risk 0.31cvss 5.8epss 0.00

    Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element…

  • CVE-2026-27693MedMay 5, 2026
    risk 0.28cvss 5.4epss 0.00

    Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted…

  • CVE-2025-12921MedNov 10, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection.…

  • CVE-2021-36020Sep 1, 2021
    risk 0.02cvss epss 0.03

    Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.

  • CVE-2019-19450Sep 20, 2023
    risk 0.01cvss epss 0.04

    paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

  • CVE-2021-36028Sep 1, 2021
    risk 0.01cvss epss 0.03

    Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code…