CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-H975-R69H-4W9P
Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 20:46** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.portals.jetspeed-2:jetspeed-commons"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-32533"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-611",
"CWE-79",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-08T17:57:13Z",
"nvd_published_at": "2022-07-06T10:15:00Z",
"severity": "CRITICAL"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.",
"id": "GHSA-h975-r69h-4w9p",
"modified": "2022-07-15T20:46:57Z",
"published": "2022-07-07T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32533"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient user input in Apache Jetspeed-2"
}
GHSA-H9FV-PF3W-2RH8
Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-19 00:00In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2022-2838"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-16T10:15:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Sphinx\u2122 before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.",
"id": "GHSA-h9fv-pf3w-2rh8",
"modified": "2022-08-19T00:00:39Z",
"published": "2022-08-17T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2838"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/580542"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H9GX-CVW7-JF96
Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-14 00:01Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.
{
"affected": [],
"aliases": [
"CVE-2022-29943"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-04T18:15:00Z",
"severity": "MODERATE"
},
"details": "Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.",
"id": "GHSA-h9gx-cvw7-jf96",
"modified": "2022-05-14T00:01:31Z",
"published": "2022-05-05T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29943"
},
{
"type": "WEB",
"url": "https://Talend.com"
},
{
"type": "WEB",
"url": "https://www.talend.com/security/incident-response/#CVE-2022-29942"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HC9X-XMWH-8232
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
{
"affected": [],
"aliases": [
"CVE-2020-24591"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-21T20:15:00Z",
"severity": "MODERATE"
},
"details": "The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.",
"id": "GHSA-hc9x-xmwh-8232",
"modified": "2022-05-24T17:26:21Z",
"published": "2022-05-24T17:26:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24591"
},
{
"type": "WEB",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HFJ4-XQ5F-7MC7
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-16 00:00XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.
{
"affected": [],
"aliases": [
"CVE-2022-2458"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T20:15:00Z",
"severity": "HIGH"
},
"details": "XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction \u0026 Internal file read in Business Central and also Kie-Server APIs.",
"id": "GHSA-hfj4-xq5f-7mc7",
"modified": "2022-08-16T00:00:23Z",
"published": "2022-08-11T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2458"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107994#c0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HFXG-757P-Q6W7
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.
{
"affected": [],
"aliases": [
"CVE-2021-20454"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-21T12:15:00Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.",
"id": "GHSA-hfxg-757p-q6w7",
"modified": "2022-05-24T17:48:05Z",
"published": "2022-05-24T17:48:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20454"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196649"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6445481"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HG4J-XGV6-PCR2
Vulnerability from github – Published: 2025-06-09 18:32 – Updated: 2026-04-01 18:35Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2.
{
"affected": [],
"aliases": [
"CVE-2025-31039"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T16:15:36Z",
"severity": "CRITICAL"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2.",
"id": "GHSA-hg4j-xgv6-pcr2",
"modified": "2026-04-01T18:35:24Z",
"published": "2025-06-09T18:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31039"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-xml-external-entity-xxe-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HG4V-R4M7-XJ5J
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-07 21:30An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.
{
"affected": [],
"aliases": [
"CVE-2024-46603"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T16:15:34Z",
"severity": "HIGH"
},
"details": "An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.",
"id": "GHSA-hg4v-r4m7-xj5j",
"modified": "2025-01-07T21:30:55Z",
"published": "2025-01-07T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46603"
},
{
"type": "WEB",
"url": "https://www.elspec-ltd.com/support/security-advisories"
},
{
"type": "WEB",
"url": "http://elspec.com"
},
{
"type": "WEB",
"url": "http://g5.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJ3G-VW9V-9WJ4
Vulnerability from github – Published: 2026-05-29 21:31 – Updated: 2026-05-29 21:31In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
{
"affected": [],
"aliases": [
"CVE-2026-49383"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T19:16:28Z",
"severity": "LOW"
},
"details": "In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible",
"id": "GHSA-hj3g-vw9v-9wj4",
"modified": "2026-05-29T21:31:23Z",
"published": "2026-05-29T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49383"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJ5J-C8QP-MGMV
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
{
"affected": [],
"aliases": [
"CVE-2018-20843"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-24T17:15:00Z",
"severity": "HIGH"
},
"details": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
"id": "GHSA-hj5j-c8qp-mgmv",
"modified": "2024-04-04T01:02:40Z",
"published": "2022-05-24T16:48:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/issues/186"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/262"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-11"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4472"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4040-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4040-1"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K51011533"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190703-0001"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201911-08"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Jun/39"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.