CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-GM7G-6H7X-RPGR
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to a targeted system that contain references within XML entities. An exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2019-1903"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-20T03:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to a targeted system that contain references within XML entities. An exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition.",
"id": "GHSA-gm7g-6h7x-rpgr",
"modified": "2024-04-04T01:02:02Z",
"published": "2022-05-24T16:48:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1903"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-csm-xml"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108857"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GMGF-PQHP-6W55
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
{
"affected": [],
"aliases": [
"CVE-2018-8819"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-14T20:29:00Z",
"severity": "HIGH"
},
"details": "An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the \"X-Wap-Profile\" HTTP header.",
"id": "GHSA-gmgf-pqhp-6w55",
"modified": "2022-05-13T01:07:40Z",
"published": "2022-05-13T01:07:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8819"
},
{
"type": "WEB",
"url": "https://hateshape.github.io/general/2018/06/07/CVE-2018-8819.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/148126/WebCTRL-Out-Of-Band-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Jun/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GMM3-34HF-WCMJ
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:49ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.
{
"affected": [],
"aliases": [
"CVE-2018-20160"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-29T22:29:00Z",
"severity": "CRITICAL"
},
"details": "ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.",
"id": "GHSA-gmm3-34hf-wcmj",
"modified": "2024-04-04T00:49:38Z",
"published": "2022-05-24T16:46:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20160"
},
{
"type": "WEB",
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=109093"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GMWC-6M29-5HV6
Vulnerability from github – Published: 2022-05-14 01:56 – Updated: 2022-05-14 01:56An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8532, CVE-2018-8533.
{
"affected": [],
"aliases": [
"CVE-2018-8527"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-10T13:29:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity, aka \"SQL Server Management Studio Information Disclosure Vulnerability.\" This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8532, CVE-2018-8533.",
"id": "GHSA-gmwc-6m29-5hv6",
"modified": "2022-05-14T01:56:14Z",
"published": "2022-05-14T01:56:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8527"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45585"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105474"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041826"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GP32-7H29-RPXM
Vulnerability from github – Published: 2019-03-14 15:39 – Updated: 2021-09-13 12:37Checkstyle prior to 8.18 loads external DTDs by default, which can potentially lead to denial of service attacks or the leaking of confidential information.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.puppycrawl.tools:checkstyle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-9658"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:37:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Checkstyle prior to 8.18 loads external DTDs by default, which can potentially lead to denial of service attacks or the leaking of confidential information.",
"id": "GHSA-gp32-7h29-rpxm",
"modified": "2021-09-13T12:37:35Z",
"published": "2019-03-14T15:39:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9658"
},
{
"type": "WEB",
"url": "https://github.com/checkstyle/checkstyle/issues/6474"
},
{
"type": "WEB",
"url": "https://github.com/checkstyle/checkstyle/issues/6478"
},
{
"type": "WEB",
"url": "https://github.com/checkstyle/checkstyle/pull/6476"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJPT54USMGWT3Y6XVXLDEHKRUY2EI4OE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEYBAHYAV37WHMOXZYM2ZWF46FHON6YC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMOPJ2XYE4LB2HM7OMSUBBIYEDUTLWE"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00029.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/fff26ee7b59360a0264fef4e8ed9454ef652db2c39f2892a9ea1c9cb@%3Cnotifications.fluo.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/a35a8ccb316d4c2340710f610cba8058e87d5376259b35ef3ed2bf89@%3Cnotifications.accumulo.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/994221405e940e148adcfd9cb24ffc6700bed70c7820c55a22559d26@%3Cnotifications.fluo.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/7eea10e7be4c21060cb1e79f6524c6e6559ba833b1465cd2870a56b9@%3Cserver-dev.james.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6bf8bbbca826e883f09ba40bc0d319350e1d6d4cf4df7c9e399b2699@%3Ccommits.fluo.apache.org%3E"
},
{
"type": "PACKAGE",
"url": "https://github.com/checkstyle/checkstyle"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-gp32-7h29-rpxm"
},
{
"type": "WEB",
"url": "https://checkstyle.org/releasenotes.html#Release_8.18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moderate severity vulnerability that affects com.puppycrawl.tools:checkstyle"
}
GHSA-GP39-H9C2-QW79
Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2023-09-25 14:47Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendopenid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendrest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-audioscrobbler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-nirvanix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-slideshare"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-technorati"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-windowsazure"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-amazon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-2682"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-25T14:47:31Z",
"nvd_published_at": "2014-11-16T00:59:00Z",
"severity": "MODERATE"
},
"details": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.",
"id": "GHSA-gp39-h9c2-qw79",
"modified": "2023-09-25T14:47:31Z",
"published": "2022-05-14T00:56:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2682"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0151.html"
},
{
"type": "WEB",
"url": "http://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q2/0"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3265"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Several Zend Products Vulnerable to XXE and XEE attacks"
}
GHSA-GP6M-VQHM-5CM5
Vulnerability from github – Published: 2021-07-02 18:37 – Updated: 2024-11-19 18:24XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. The parse function does not properly restrict recursive entity references.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "XML2Dict"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25951"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-01T21:42:31Z",
"nvd_published_at": "2021-06-30T12:15:00Z",
"severity": "HIGH"
},
"details": "XXE vulnerability in \u0027XML2Dict\u0027 version 0.2.2 allows an attacker to cause a denial of service. The parse function does not properly restrict recursive entity references.",
"id": "GHSA-gp6m-vqhm-5cm5",
"modified": "2024-11-19T18:24:52Z",
"published": "2021-07-02T18:37:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25951"
},
{
"type": "WEB",
"url": "https://github.com/mcspring/XML2Dict/tree/master"
},
{
"type": "PACKAGE",
"url": "https://github.com/mcspring/xml2dict"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/xml2dict/PYSEC-2021-349.yaml"
},
{
"type": "WEB",
"url": "https://pypi.org/project/XML2Dict"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25951"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XML2Dict XML Entity Expansion Vulnerability"
}
GHSA-GPC2-PW66-CFHJ
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.
{
"affected": [],
"aliases": [
"CVE-2021-35066"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-21T20:15:00Z",
"severity": "CRITICAL"
},
"details": "An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.",
"id": "GHSA-gpc2-pw66-cfhj",
"modified": "2022-05-24T19:05:47Z",
"published": "2022-05-24T19:05:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35066"
},
{
"type": "WEB",
"url": "https://home.connectwise.com/securityBulletin/60cc8c63508a120001cb6e8d"
},
{
"type": "WEB",
"url": "https://www.connectwise.com/company/trust/security-bulletins"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GQ57-CPJ2-WWMC
Vulnerability from github – Published: 2025-08-26 09:30 – Updated: 2025-08-26 09:30Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-57704"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T07:15:33Z",
"severity": "MODERATE"
},
"details": "Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability.",
"id": "GHSA-gq57-cpj2-wwmc",
"modified": "2025-08-26T09:30:28Z",
"published": "2025-08-26T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57704"
},
{
"type": "WEB",
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00013_EIP%20Builder%20XML%20External%20Entity%20Processing%20Information%20Disclosure%20Vulnerability.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GQ66-WMX6-V7RG
Vulnerability from github – Published: 2022-05-14 03:32 – Updated: 2022-05-14 03:32The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0.2.1 On-Premises allows for an XML External Entity attack through a crafted file, allowing attackers to read arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2018-5758"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-12T21:29:00Z",
"severity": "MODERATE"
},
"details": "The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0.2.1 On-Premises allows for an XML External Entity attack through a crafted file, allowing attackers to read arbitrary files.",
"id": "GHSA-gq66-wmx6-v7rg",
"modified": "2022-05-14T03:32:29Z",
"published": "2022-05-14T03:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5758"
},
{
"type": "WEB",
"url": "https://rhinosecuritylabs.com/research/xml-external-entity-injection-xxe-cve-2018-5758"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.