Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1692 vulnerabilities reference this CWE, most recent first.

GHSA-PFR4-5HM6-GJRQ

Vulnerability from github – Published: 2025-07-23 06:33 – Updated: 2025-07-23 06:33
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-23T06:15:26Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.",
  "id": "GHSA-pfr4-5hm6-gjrq",
  "modified": "2025-07-23T06:33:51Z",
  "published": "2025-07-23T06:33:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54445"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungtv.com/securityUpdates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PG28-353J-PR59

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-16T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.",
  "id": "GHSA-pg28-353j-pr59",
  "modified": "2022-05-24T19:08:20Z",
  "published": "2022-05-24T19:08:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3752"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/security/en-us/details/537853/DSA-2019-119-Dell-EMC-Avamar-XML-External-Entity-Injection-Vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PG3C-C32P-95VX

Vulnerability from github – Published: 2022-05-17 00:50 – Updated: 2022-05-17 00:50
VLAI
Details

XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-12T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.",
  "id": "GHSA-pg3c-c32p-95vx",
  "modified": "2022-05-17T00:50:24Z",
  "published": "2022-05-17T00:50:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8918"
    },
    {
      "type": "WEB",
      "url": "https://thenopsled.com/Exploit-DB%20Writeup.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PGCF-289Q-WWMJ

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-12-03 00:30
VLAI
Details

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-20T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.",
  "id": "GHSA-pgcf-289q-wwmj",
  "modified": "2022-12-03T00:30:20Z",
  "published": "2022-05-24T16:54:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4424"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162770"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10959537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PGR7-WPPM-2GMP

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2023-09-28 15:30
VLAI
Details

yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-17T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document.",
  "id": "GHSA-pgr7-wppm-2gmp",
  "modified": "2023-09-28T15:30:15Z",
  "published": "2022-05-24T17:28:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25215"
    },
    {
      "type": "WEB",
      "url": "https://www.yworks.com/products/yed/download"
    },
    {
      "type": "WEB",
      "url": "https://zigrin.com/advisories/yworks-yed-graph-editor-xml-external-entity-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PGWJ-M55X-47M9

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-05T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file.",
  "id": "GHSA-pgwj-m55x-47m9",
  "modified": "2022-05-13T01:35:12Z",
  "published": "2022-05-13T01:35:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0414"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105289"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041688"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH8X-8Q5Q-F3MH

Vulnerability from github – Published: 2022-05-14 03:21 – Updated: 2022-05-14 03:21
VLAI
Details

The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-16T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.",
  "id": "GHSA-ph8x-8q5q-f3mh",
  "modified": "2022-05-14T03:21:40Z",
  "published": "2022-05-14T03:21:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6323"
    },
    {
      "type": "WEB",
      "url": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20170628_00"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98621"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PHMG-7CWJ-2HP3

Vulnerability from github – Published: 2025-07-30 21:31 – Updated: 2025-07-30 21:31
VLAI
Details

Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-30T19:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.",
  "id": "GHSA-phmg-7cwj-2hp3",
  "modified": "2025-07-30T21:31:39Z",
  "published": "2025-07-30T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36608"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000346195/dsa-2025-259-security-update-for-dell-networking-os10-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJ2P-4HQ9-W6VQ

Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2022-05-17 00:26
VLAI
Details

XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-10T13:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.",
  "id": "GHSA-pj2p-4hq9-w6vq",
  "modified": "2022-05-17T00:26:26Z",
  "published": "2022-05-17T00:26:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13706"
    },
    {
      "type": "WEB",
      "url": "https://www.lansweeper.com/changelog.aspx"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Oct/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJ6P-9P8X-5MFC

Vulnerability from github – Published: 2026-05-08 06:32 – Updated: 2026-05-14 13:05
VLAI
Summary
Alkacon OpenCms is vulnerable to XXE when the <!DOCTYPE> refers to an external host
Details

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencms:opencms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:05:03Z",
    "nvd_published_at": "2026-05-08T05:16:09Z",
    "severity": "HIGH"
  },
  "details": "Alkacon OpenCms before 16 allows XXE when the \u003c!DOCTYPE\u003e refers to an external host.",
  "id": "GHSA-pj6p-9p8x-5mfc",
  "modified": "2026-05-14T13:05:03Z",
  "published": "2026-05-08T06:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42346"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alkacon/opencms-core"
    },
    {
      "type": "WEB",
      "url": "https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Alkacon OpenCms is vulnerable to XXE when the \u003c!DOCTYPE\u003e refers to an external host"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.