Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-X4Q2-P9FR-44FF

Vulnerability from github – Published: 2022-12-28 21:30 – Updated: 2023-01-06 18:30
VLAI
Details

A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.",
  "id": "GHSA-x4q2-p9fr-44ff",
  "modified": "2023-01-06T18:30:22Z",
  "published": "2022-12-28T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Talend/tmdm-server-se/pull/1598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Talend/tmdm-server-se/commit/95590db2ad6a582c371273ceab1a73ad6ed47853"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Talend/tmdm-server-se/releases/tag/snap%2Fmaster%2F20221220_1938"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.216997"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216997"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X4R9-GMW3-HXWW

Vulnerability from github – Published: 2026-06-12 18:23 – Updated: 2026-06-12 18:23
VLAI
Summary
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
Details

Summary

A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).

Details

This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):

Impact

This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.

Workaround

GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.

Resources

https://osgeo-org.atlassian.net/browse/GEOS-11867 https://github.com/geoserver/geoserver/pull/8622

Credits:

  • Le Mau Anh Phong at Verichains Cyber Force
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.27.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.27.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T18:23:35Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nA GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).\n\n### Details\nThis vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0):\n\n### Impact\nThis vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.\n\n### Workaround\nGeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., `https://somesite.org` instead of `https://somesite.org/` or `https://somesite.org/geoserver`). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.\n\n### Resources\nhttps://osgeo-org.atlassian.net/browse/GEOS-11867\nhttps://github.com/geoserver/geoserver/pull/8622\n\n### Credits:\n-  Le Mau Anh Phong at Verichains Cyber Force",
  "id": "GHSA-x4r9-gmw3-hxww",
  "modified": "2026-06-12T18:23:35Z",
  "published": "2026-06-12T18:23:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-x4r9-gmw3-hxww"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/pull/8622"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution"
}

GHSA-X58J-J539-W8MV

Vulnerability from github – Published: 2022-10-24 19:00 – Updated: 2023-08-03 22:54
VLAI
Summary
Duplicate Advisory: Improper Restriction of XML External Entity Reference in pikepdf
Details

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29421, GHSA-ccgm-3xw4-h5p8. Reason: This candidate is a duplicate of CVE-2021-29421. Notes: All CVE users should reference CVE-2021-29421 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pikepdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "2.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-46849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T22:53:44Z",
    "nvd_published_at": "2022-10-24T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29421, GHSA-ccgm-3xw4-h5p8. Reason: This candidate is a duplicate of CVE-2021-29421. Notes: All CVE users should reference CVE-2021-29421 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.",
  "id": "GHSA-x58j-j539-w8mv",
  "modified": "2023-08-03T22:54:04Z",
  "published": "2022-10-24T19:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46849"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/779475"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-ccgm-3xw4-h5p8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Improper Restriction of XML External Entity Reference in pikepdf",
  "withdrawn": "2023-08-03T22:53:44Z"
}

GHSA-X58R-WXC3-7PQR

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-10-27 11:43
VLAI
Summary
XXE vulnerability in Jenkins Mercurial Plugin
Details

Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:mercurial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11"
            },
            {
              "fixed": "2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.11"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:mercurial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10"
            },
            {
              "fixed": "2.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.10"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:mercurial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9"
            },
            {
              "fixed": "2.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.9"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:mercurial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T23:20:09Z",
    "nvd_published_at": "2020-11-04T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nMercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.",
  "id": "GHSA-x58r-wxc3-7pqr",
  "modified": "2023-10-27T11:43:00Z",
  "published": "2022-05-24T17:33:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/mercurial-plugin/commit/84af58b08f80bb92792f7bc04a31487f3eeee95a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2305.json"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/mercurial-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Mercurial Plugin"
}

GHSA-X5QJ-644J-7XC7

Vulnerability from github – Published: 2022-05-14 01:33 – Updated: 2025-04-12 13:00
VLAI
Details

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-05-22T01:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.",
  "id": "GHSA-x5qj-644j-7xc7",
  "modified": "2025-04-12T13:00:20Z",
  "published": "2022-05-14T01:33:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8866"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=64938"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=de31324c221c1791b26350ba106cc26bad23ace9"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2750.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/24/1"
    },
    {
      "type": "WEB",
      "url": "http://www.php.net/ChangeLog-5.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/87470"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2952-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2952-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X64M-686F-FMM3

Vulnerability from github – Published: 2022-05-17 05:09 – Updated: 2024-05-21 20:17
VLAI
Summary
XML External Entity (XXE) in Django
Details

The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-1665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-21T20:17:46Z",
    "nvd_published_at": "2013-04-03T00:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
  "id": "GHSA-x64m-686f-fmm3",
  "modified": "2024-05-21T20:17:47Z",
  "published": "2022-05-17T05:09:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1100279"
    },
    {
      "type": "WEB",
      "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"
    },
    {
      "type": "WEB",
      "url": "http://bugs.python.org/issue17239"
    },
    {
      "type": "WEB",
      "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-1757-1"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2013/dsa-2634"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "XML External Entity (XXE) in Django"
}

GHSA-X6G4-FWCC-JJ8W

Vulnerability from github – Published: 2026-05-27 21:09 – Updated: 2026-05-27 21:09
VLAI
Summary
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
Details

Description

symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit's HttpBrowser uses it to parse fetched pages.

Crawler::addXmlContent() sets DOMDocument::$validateOnParse = true before calling loadXML(). Setting validateOnParse re-enables libxml's DTD subset processing, including external entity resolution, even though LIBXML_NONET is passed. LIBXML_NONET blocks network fetches but not file:// entities. An attacker-supplied XML document with a SYSTEM "file:///etc/passwd" entity is therefore expanded.

Resolution

The Crawler::addXmlContent method does not set the validateOnParse flag anymore.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/dom-crawler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/dom-crawler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/dom-crawler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/dom-crawler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T21:09:44Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\n`symfony/dom-crawler` provides the `Crawler` class for navigating HTML/XML documents with CSS/XPath selectors; `symfony/browser-kit`\u0027s `HttpBrowser` uses it to parse fetched pages.\n\n`Crawler::addXmlContent()` sets `DOMDocument::$validateOnParse = true` before calling `loadXML()`. Setting `validateOnParse` re-enables libxml\u0027s DTD subset processing, including external entity resolution, even though `LIBXML_NONET` is passed. `LIBXML_NONET` blocks **network** fetches but not `file://` entities. An attacker-supplied XML document with a `SYSTEM \"file:///etc/passwd\"` entity is therefore expanded.\n\n### Resolution\n\nThe `Crawler::addXmlContent` method does not set the `validateOnParse` flag anymore.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.",
  "id": "GHSA-x6g4-fwcc-jj8w",
  "modified": "2026-05-27T21:09:45Z",
  "published": "2026-05-27T21:09:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2026-45071"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true"
}

GHSA-X6RC-54XP-CCXX

Vulnerability from github – Published: 2022-05-14 02:21 – Updated: 2025-07-18 17:25
VLAI
Summary
Withdrawn Advisory: Improper Restriction of XML External Entity Reference in Apache ActiveMQ
Details

Withdrawn Advisory

This advisory has been withdrawn because further investgation revealed that this is not a security issue. This link is maintained to preserve external references.

Original Description

XML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.23.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.23.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-3208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:17:45Z",
    "nvd_published_at": "2017-07-25T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because further investgation revealed that this is not a security issue. This link is maintained to preserve external references.\n\n## Original Description\nXML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.",
  "id": "GHSA-x6rc-54xp-ccxx",
  "modified": "2025-07-18T17:25:20Z",
  "published": "2022-05-14T02:21:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3208"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2927"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1225252"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/07/24/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: Improper Restriction of XML External Entity Reference in Apache ActiveMQ",
  "withdrawn": "2025-07-18T17:25:20Z"
}

GHSA-X752-5HRQ-8PGC

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-08T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "The BusinessWorks engine component of TIBCO Software Inc.\u0027s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0.",
  "id": "GHSA-x752-5hrq-8pgc",
  "modified": "2022-05-13T01:34:48Z",
  "published": "2022-05-13T01:34:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12408"
    },
    {
      "type": "WEB",
      "url": "https://www.tibco.com/support/advisories/2018/08/tibco-security-advisory-august-7-2018-tibco-activematrix-businessworks"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105043"
    },
    {
      "type": "WEB",
      "url": "http://www.tibco.com/services/support/advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7FX-4PM8-G98W

Vulnerability from github – Published: 2025-12-10 00:30 – Updated: 2025-12-10 00:30
VLAI
Details

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T00:16:09Z",
    "severity": "HIGH"
  },
  "details": "ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed.",
  "id": "GHSA-x7fx-4pm8-g98w",
  "modified": "2025-12-10T00:30:23Z",
  "published": "2025-12-10T00:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61813"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.