Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-P2HQ-X27F-8MX5

Vulnerability from github – Published: 2022-01-31 00:00 – Updated: 2022-02-05 00:00
VLAI
Details

Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-30T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.",
  "id": "GHSA-p2hq-x27f-8mx5",
  "modified": "2022-02-05T00:00:58Z",
  "published": "2022-01-31T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46660"
    },
    {
      "type": "WEB",
      "url": "https://help.signiant.com/flight-deck/general/release-notes-15-1"
    },
    {
      "type": "WEB",
      "url": "https://www.signiant.com/technology/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P2JV-394X-276F

Vulnerability from github – Published: 2022-05-17 00:33 – Updated: 2022-05-17 00:33
VLAI
Details

OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to an XML External Entity vulnerability: /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/. An unauthenticated user is able to read directory listings or system files, or cause SSRF or Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-03T01:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to an XML External Entity vulnerability: /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/. An unauthenticated user is able to read directory listings or system files, or cause SSRF or Denial of Service.",
  "id": "GHSA-p2jv-394x-276f",
  "modified": "2022-05-17T00:33:46Z",
  "published": "2022-05-17T00:33:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14759"
    },
    {
      "type": "WEB",
      "url": "https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Sep/97"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P2QF-9VP6-3JJQ

Vulnerability from github – Published: 2023-06-15 15:30 – Updated: 2024-03-01 14:32
VLAI
Summary
HuTool XML parsing module has blind XXE vulnerability
Details

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cn.hutool:hutool-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.8.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-16T19:39:29Z",
    "nvd_published_at": "2023-06-15T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference.",
  "id": "GHSA-p2qf-9vp6-3jjq",
  "modified": "2024-03-01T14:32:41Z",
  "published": "2023-06-15T15:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3276"
    },
    {
      "type": "WEB",
      "url": "https://fbdhhhh47.github.io/2023/06/06/hutool-XXE"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dromara/hutool"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.231626"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.231626"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HuTool XML parsing module has blind XXE vulnerability"
}

GHSA-P343-WH48-8MVF

Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-08 00:00
VLAI
Details

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-28T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.",
  "id": "GHSA-p343-wh48-8mvf",
  "modified": "2022-05-08T00:00:34Z",
  "published": "2022-04-29T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24449"
    },
    {
      "type": "WEB",
      "url": "https://en.rt-solar.ru/products/solarAPPscreener"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jet-pentest/CVE-2022-24449"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P368-MJ9G-R3MH

Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-05-17 02:53
VLAI
Details

External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-23T06:59:00Z",
    "severity": "MODERATE"
  },
  "details": "External Entity Processing (XXE) vulnerability in the \"risk score\" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.",
  "id": "GHSA-p368-mj9g-r3mh",
  "modified": "2022-05-17T02:53:42Z",
  "published": "2022-05-17T02:53:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5748"
    },
    {
      "type": "WEB",
      "url": "https://www.novell.com/support/kb/doc.php?id=7017797"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P37Q-JM8V-RGQF

Vulnerability from github – Published: 2026-05-27 06:31 – Updated: 2026-05-27 06:31
VLAI
Details

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T04:16:26Z",
    "severity": "HIGH"
  },
  "details": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.7 and 11.0.0.0, including\u00a09.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.",
  "id": "GHSA-p37q-jm8v-rgqf",
  "modified": "2026-05-27T06:31:34Z",
  "published": "2026-05-27T06:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2253"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/45677548193933--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2026-2253"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3G7-98FF-92PP

Vulnerability from github – Published: 2024-12-19 18:31 – Updated: 2025-01-02 21:31
VLAI
Details

An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-19T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.",
  "id": "GHSA-p3g7-98ff-92pp",
  "modified": "2025-01-02T21:31:41Z",
  "published": "2024-12-19T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55081"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/summerxxoo/18b3ccc91aacd606aa4d48a02029e9e7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/summerxxoo/VulnPoc/blob/main/chat2DB_XXE.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P498-RPCW-3578

Vulnerability from github – Published: 2022-05-14 03:45 – Updated: 2024-01-30 22:41
VLAI
Summary
XXE vulnerability Jenkins Warnings Plugin
Details

Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.64"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jvnet.hudson.plugins:warnings"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.65"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:41:12Z",
    "nvd_published_at": "2018-01-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-p498-rpcw-3578",
  "modified": "2024-01-30T22:41:12Z",
  "published": "2022-05-14T03:45:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000012"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-01-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability Jenkins Warnings Plugin"
}

GHSA-P52V-VCVW-FCMG

Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 18:32
VLAI
Details

TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T16:15:05Z",
    "severity": "MODERATE"
  },
  "details": "TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).",
  "id": "GHSA-p52v-vcvw-fcmg",
  "modified": "2024-09-27T18:32:25Z",
  "published": "2024-09-27T18:32:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45745"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.topquadrant.com/wp-content/uploads/2024/06/changelog-8.0.1.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P58M-78V3-3XR8

Vulnerability from github – Published: 2025-08-19 15:31 – Updated: 2025-08-19 15:31
VLAI
Details

Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T14:15:38Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.",
  "id": "GHSA-p58m-78v3-3xr8",
  "modified": "2025-08-19T15:31:28Z",
  "published": "2025-08-19T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4044"
    },
    {
      "type": "WEB",
      "url": "https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.