CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-P2HQ-X27F-8MX5
Vulnerability from github – Published: 2022-01-31 00:00 – Updated: 2022-02-05 00:00Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.
{
"affected": [],
"aliases": [
"CVE-2021-46660"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-30T00:15:00Z",
"severity": "CRITICAL"
},
"details": "Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.",
"id": "GHSA-p2hq-x27f-8mx5",
"modified": "2022-02-05T00:00:58Z",
"published": "2022-01-31T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46660"
},
{
"type": "WEB",
"url": "https://help.signiant.com/flight-deck/general/release-notes-15-1"
},
{
"type": "WEB",
"url": "https://www.signiant.com/technology/security"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P2JV-394X-276F
Vulnerability from github – Published: 2022-05-17 00:33 – Updated: 2022-05-17 00:33OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to an XML External Entity vulnerability: /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/. An unauthenticated user is able to read directory listings or system files, or cause SSRF or Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2017-14759"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-03T01:29:00Z",
"severity": "CRITICAL"
},
"details": "OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to an XML External Entity vulnerability: /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/. An unauthenticated user is able to read directory listings or system files, or cause SSRF or Denial of Service.",
"id": "GHSA-p2jv-394x-276f",
"modified": "2022-05-17T00:33:46Z",
"published": "2022-05-17T00:33:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14759"
},
{
"type": "WEB",
"url": "https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Sep/97"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2QF-9VP6-3JJQ
Vulnerability from github – Published: 2023-06-15 15:30 – Updated: 2024-03-01 14:32A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "cn.hutool:hutool-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.8.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3276"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-16T19:39:29Z",
"nvd_published_at": "2023-06-15T13:15:09Z",
"severity": "HIGH"
},
"details": "A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference.",
"id": "GHSA-p2qf-9vp6-3jjq",
"modified": "2024-03-01T14:32:41Z",
"published": "2023-06-15T15:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3276"
},
{
"type": "WEB",
"url": "https://fbdhhhh47.github.io/2023/06/06/hutool-XXE"
},
{
"type": "PACKAGE",
"url": "https://github.com/dromara/hutool"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.231626"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.231626"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "HuTool XML parsing module has blind XXE vulnerability"
}
GHSA-P343-WH48-8MVF
Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-08 00:00Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.
{
"affected": [],
"aliases": [
"CVE-2022-24449"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-28T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.",
"id": "GHSA-p343-wh48-8mvf",
"modified": "2022-05-08T00:00:34Z",
"published": "2022-04-29T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24449"
},
{
"type": "WEB",
"url": "https://en.rt-solar.ru/products/solarAPPscreener"
},
{
"type": "WEB",
"url": "https://github.com/jet-pentest/CVE-2022-24449"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P368-MJ9G-R3MH
Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-05-17 02:53External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.
{
"affected": [],
"aliases": [
"CVE-2016-5748"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-23T06:59:00Z",
"severity": "MODERATE"
},
"details": "External Entity Processing (XXE) vulnerability in the \"risk score\" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.",
"id": "GHSA-p368-mj9g-r3mh",
"modified": "2022-05-17T02:53:42Z",
"published": "2022-05-17T02:53:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5748"
},
{
"type": "WEB",
"url": "https://www.novell.com/support/kb/doc.php?id=7017797"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P37Q-JM8V-RGQF
Vulnerability from github – Published: 2026-05-27 06:31 – Updated: 2026-05-27 06:31Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
{
"affected": [],
"aliases": [
"CVE-2026-2253"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T04:16:26Z",
"severity": "HIGH"
},
"details": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.7 and 11.0.0.0, including\u00a09.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.",
"id": "GHSA-p37q-jm8v-rgqf",
"modified": "2026-05-27T06:31:34Z",
"published": "2026-05-27T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2253"
},
{
"type": "WEB",
"url": "https://support.pentaho.com/hc/en-us/articles/45677548193933--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2026-2253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P3G7-98FF-92PP
Vulnerability from github – Published: 2024-12-19 18:31 – Updated: 2025-01-02 21:31An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.
{
"affected": [],
"aliases": [
"CVE-2024-55081"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-19T17:15:09Z",
"severity": "CRITICAL"
},
"details": "An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.",
"id": "GHSA-p3g7-98ff-92pp",
"modified": "2025-01-02T21:31:41Z",
"published": "2024-12-19T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55081"
},
{
"type": "WEB",
"url": "https://gist.github.com/summerxxoo/18b3ccc91aacd606aa4d48a02029e9e7"
},
{
"type": "WEB",
"url": "https://github.com/summerxxoo/VulnPoc/blob/main/chat2DB_XXE.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P498-RPCW-3578
Vulnerability from github – Published: 2022-05-14 03:45 – Updated: 2024-01-30 22:41Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.64"
},
"package": {
"ecosystem": "Maven",
"name": "org.jvnet.hudson.plugins:warnings"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.65"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000012"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T22:41:12Z",
"nvd_published_at": "2018-01-23T14:29:00Z",
"severity": "HIGH"
},
"details": "Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
"id": "GHSA-p498-rpcw-3578",
"modified": "2024-01-30T22:41:12Z",
"published": "2022-05-14T03:45:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000012"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-01-22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability Jenkins Warnings Plugin"
}
GHSA-P52V-VCVW-FCMG
Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 18:32TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).
{
"affected": [],
"aliases": [
"CVE-2024-45745"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-27T16:15:05Z",
"severity": "MODERATE"
},
"details": "TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).",
"id": "GHSA-p52v-vcvw-fcmg",
"modified": "2024-09-27T18:32:25Z",
"published": "2024-09-27T18:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45745"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json"
},
{
"type": "WEB",
"url": "https://www.topquadrant.com/wp-content/uploads/2024/06/changelog-8.0.1.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P58M-78V3-3XR8
Vulnerability from github – Published: 2025-08-19 15:31 – Updated: 2025-08-19 15:31Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.
{
"affected": [],
"aliases": [
"CVE-2025-4044"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T14:15:38Z",
"severity": "HIGH"
},
"details": "Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.",
"id": "GHSA-p58m-78v3-3xr8",
"modified": "2025-08-19T15:31:28Z",
"published": "2025-08-19T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4044"
},
{
"type": "WEB",
"url": "https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.