CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-M56X-7JGW-3HFR
Vulnerability from github – Published: 2023-02-03 21:30 – Updated: 2023-02-13 15:30XML External Entity (XXE) vulnerability in Talend Remote Engine Gen 2 before R2022-09.
{
"affected": [],
"aliases": [
"CVE-2022-45588"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-03T21:15:00Z",
"severity": "CRITICAL"
},
"details": "XML External Entity (XXE) vulnerability in Talend Remote Engine Gen 2 before R2022-09.",
"id": "GHSA-m56x-7jgw-3hfr",
"modified": "2023-02-13T15:30:26Z",
"published": "2023-02-03T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45588"
},
{
"type": "WEB",
"url": "https://www.talend.com/security/incident-response/#CVE-2022-45588"
},
{
"type": "WEB",
"url": "http://talend.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M739-F9CM-66X2
Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-08 18:31Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library).
This issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018.
Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-47898"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T08:16:24Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library).\n\nThis issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018.\n\nUsers are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.",
"id": "GHSA-m739-f9cm-66x2",
"modified": "2026-07-08T18:31:32Z",
"published": "2026-07-03T09:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47898"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/7yn9k6sbbsk18yco5y2hszpcf8dst489"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/03/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M745-JCVJ-8CX6
Vulnerability from github – Published: 2023-10-18 12:30 – Updated: 2025-10-22 00:32Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.
{
"affected": [],
"aliases": [
"CVE-2023-45727"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-18T10:15:08Z",
"severity": "HIGH"
},
"details": "Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.",
"id": "GHSA-m745-jcvj-8cx6",
"modified": "2025-10-22T00:32:51Z",
"published": "2023-10-18T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45727"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN95981460"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-45727"
},
{
"type": "WEB",
"url": "https://www.proself.jp/information/153"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M7JW-5WWC-GXWH
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2022-10-14 12:00An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.
{
"affected": [],
"aliases": [
"CVE-2019-6179"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-03T19:15:00Z",
"severity": "HIGH"
},
"details": "An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.",
"id": "GHSA-m7jw-5wwc-gxwh",
"modified": "2022-10-14T12:00:18Z",
"published": "2022-05-24T16:55:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6179"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/solutions/LEN-27805"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M7M4-4VM8-55WG
Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2024-10-21 20:11PyAMF provides Action Message Format (AMF) support for Python that is compatible with the Adobe Flash Player. It includes integration with Python web frameworks like Django, Pylons, Twisted, SQLAlchemy, web2py and more. XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyamf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-8549"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-31T21:54:25Z",
"nvd_published_at": "2020-01-15T15:15:00Z",
"severity": "HIGH"
},
"details": "PyAMF provides Action Message Format (AMF) support for Python that is compatible with the Adobe Flash Player. It includes integration with Python web frameworks like Django, Pylons, Twisted, SQLAlchemy, web2py and more. XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.",
"id": "GHSA-m7m4-4vm8-55wg",
"modified": "2024-10-21T20:11:40Z",
"published": "2022-05-24T17:06:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8549"
},
{
"type": "WEB",
"url": "https://github.com/hydralabs/pyamf/pull/58"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m7m4-4vm8-55wg"
},
{
"type": "PACKAGE",
"url": "https://github.com/hydralabs/pyamf"
},
{
"type": "WEB",
"url": "https://github.com/hydralabs/pyamf/releases/tag/v0.8.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyamf/PYSEC-2020-339.yaml"
},
{
"type": "WEB",
"url": "https://pypi.org/project/pyamf"
},
{
"type": "WEB",
"url": "http://www.ocert.org/advisories/ocert-2015-011.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PyAMF vulnerable to XML external entity (XXE)"
}
GHSA-M7XH-548P-355R
Vulnerability from github – Published: 2025-12-24 06:30 – Updated: 2025-12-24 06:30OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.
{
"affected": [],
"aliases": [
"CVE-2024-58335"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-24T06:15:43Z",
"severity": "MODERATE"
},
"details": "OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.",
"id": "GHSA-m7xh-548p-355r",
"modified": "2025-12-24T06:30:26Z",
"published": "2025-12-24T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58335"
},
{
"type": "WEB",
"url": "https://github.com/jcthiele/OpenXRechnungToolbox/commit/6c50e8979924b09f336c976cbad3a9ebfe25ebf9"
},
{
"type": "WEB",
"url": "https://invoice.secvuln.info"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M84V-PJJQ-FHH8
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:37Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data.
{
"affected": [],
"aliases": [
"CVE-2019-18227"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-31T22:15:00Z",
"severity": "HIGH"
},
"details": "Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data.",
"id": "GHSA-m84v-pjjq-fhh8",
"modified": "2024-04-04T02:37:32Z",
"published": "2022-05-24T17:00:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18227"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-304-01"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-936"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-939"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-942"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-943"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-944"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-945"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-946"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-947"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-953"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-954"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-959"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M8CJ-3V68-3CXJ
Vulnerability from github – Published: 2024-06-13 09:31 – Updated: 2024-07-17 19:15Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.4"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.6-p1"
},
{
"fixed": "2.4.6-p6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.5-p1"
},
{
"fixed": "2.4.5-p8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4-p9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.5"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.6"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.7"
]
}
],
"aliases": [
"CVE-2024-34102"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-13T19:33:57Z",
"nvd_published_at": "2024-06-13T09:15:10Z",
"severity": "CRITICAL"
},
"details": "Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.",
"id": "GHSA-m8cj-3v68-3cxj",
"modified": "2024-07-17T19:15:32Z",
"published": "2024-06-13T09:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34102"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/30877fce83b793f71421c47347885cf076e81799"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/a3c6d6e5e95e63031e4df26cfcf76feace7549c2"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/c5c538810b87449886f4669cb8abbe8e5593c83c"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/d10435b11ada4e502dca7539f8fd31d059d3c482#diff-84a0773a6287fbbaadf3b9103f4a137fc0b6946de2437ddfd6f60a0722cf8d23"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2024-34102.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb24-40.html"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Magento Open Source affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability"
}
GHSA-M8GJ-RHH9-783Q
Vulnerability from github – Published: 2025-03-05 18:32 – Updated: 2025-03-05 18:32External XML entity injection allows arbitrary download of files. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.
{
"affected": [],
"aliases": [
"CVE-2025-24521"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T16:15:39Z",
"severity": "MODERATE"
},
"details": "External XML entity injection allows arbitrary download of files. The \nscore without least privilege principle violation is as calculated \nbelow. In combination with other issues it may facilitate further \ncompromise of the device. Remediation in Version 6.8.0, release date: \n01-Mar-25.",
"id": "GHSA-m8gj-rhh9-783q",
"modified": "2025-03-05T18:32:09Z",
"published": "2025-03-05T18:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24521"
},
{
"type": "WEB",
"url": "https://support.ixiacom.com"
},
{
"type": "WEB",
"url": "https://support.ixiacom.com/support-overview/product-support/downloads-updates"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-02"
},
{
"type": "WEB",
"url": "https://www.keysight.com/us/en/contact.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M8GQ-83GH-V42V
Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2022-03-18 23:52CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0rc1"
},
"package": {
"ecosystem": "PyPI",
"name": "cvrf2csaf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0rc2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-27193"
],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T23:52:30Z",
"nvd_published_at": "2022-03-15T05:15:00Z",
"severity": "MODERATE"
},
"details": "CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.",
"id": "GHSA-m8gq-83gh-v42v",
"modified": "2022-03-18T23:52:30Z",
"published": "2022-03-16T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27193"
},
{
"type": "PACKAGE",
"url": "https://github.com/csaf-tools/CVRF-CSAF-Converter"
},
{
"type": "WEB",
"url": "https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "XML External Entities Vulnerability in CVRF-CSAF-Converter"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.