CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-X4Q2-P9FR-44FF
Vulnerability from github – Published: 2022-12-28 21:30 – Updated: 2023-01-06 18:30A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-4818"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-28T21:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.",
"id": "GHSA-x4q2-p9fr-44ff",
"modified": "2023-01-06T18:30:22Z",
"published": "2022-12-28T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4818"
},
{
"type": "WEB",
"url": "https://github.com/Talend/tmdm-server-se/pull/1598"
},
{
"type": "WEB",
"url": "https://github.com/Talend/tmdm-server-se/commit/95590db2ad6a582c371273ceab1a73ad6ed47853"
},
{
"type": "WEB",
"url": "https://github.com/Talend/tmdm-server-se/releases/tag/snap%2Fmaster%2F20221220_1938"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.216997"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216997"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X4R9-GMW3-HXWW
Vulnerability from github – Published: 2026-06-12 18:23 – Updated: 2026-06-12 18:23Summary
A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).
Details
This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):
Impact
This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.
Workaround
GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Resources
https://osgeo-org.atlassian.net/browse/GEOS-11867 https://github.com/geoserver/geoserver/pull/8622
Credits:
- Le Mau Anh Phong at Verichains Cyber Force
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.27.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.27.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58175"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T18:23:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).\n\n### Details\nThis vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0):\n\n### Impact\nThis vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.\n\n### Workaround\nGeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., `https://somesite.org` instead of `https://somesite.org/` or `https://somesite.org/geoserver`). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.\n\n### Resources\nhttps://osgeo-org.atlassian.net/browse/GEOS-11867\nhttps://github.com/geoserver/geoserver/pull/8622\n\n### Credits:\n- Le Mau Anh Phong at Verichains Cyber Force",
"id": "GHSA-x4r9-gmw3-hxww",
"modified": "2026-06-12T18:23:35Z",
"published": "2026-06-12T18:23:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-x4r9-gmw3-hxww"
},
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/pull/8622"
},
{
"type": "PACKAGE",
"url": "https://github.com/geoserver/geoserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution"
}
GHSA-X58J-J539-W8MV
Vulnerability from github – Published: 2022-10-24 19:00 – Updated: 2023-08-03 22:54** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29421, GHSA-ccgm-3xw4-h5p8. Reason: This candidate is a duplicate of CVE-2021-29421. Notes: All CVE users should reference CVE-2021-29421 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pikepdf"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "2.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-46849"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T22:53:44Z",
"nvd_published_at": "2022-10-24T14:15:00Z",
"severity": "CRITICAL"
},
"details": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29421, GHSA-ccgm-3xw4-h5p8. Reason: This candidate is a duplicate of CVE-2021-29421. Notes: All CVE users should reference CVE-2021-29421 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.",
"id": "GHSA-x58j-j539-w8mv",
"modified": "2023-08-03T22:54:04Z",
"published": "2022-10-24T19:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46849"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/779475"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-ccgm-3xw4-h5p8"
},
{
"type": "WEB",
"url": "https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Improper Restriction of XML External Entity Reference in pikepdf",
"withdrawn": "2023-08-03T22:53:44Z"
}
GHSA-X58R-WXC3-7PQR
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-10-27 11:43Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "2.11"
},
{
"fixed": "2.12"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.11"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "2.10"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.10"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "2.9"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.9"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2305"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-23T23:20:09Z",
"nvd_published_at": "2020-11-04T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nMercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.",
"id": "GHSA-x58r-wxc3-7pqr",
"modified": "2023-10-27T11:43:00Z",
"published": "2022-05-24T17:33:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2305"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/mercurial-plugin/commit/84af58b08f80bb92792f7bc04a31487f3eeee95a"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2305.json"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/mercurial-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Mercurial Plugin"
}
GHSA-X5QJ-644J-7XC7
Vulnerability from github – Published: 2022-05-14 01:33 – Updated: 2025-04-12 13:00ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
{
"affected": [],
"aliases": [
"CVE-2015-8866"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-05-22T01:59:00Z",
"severity": "CRITICAL"
},
"details": "ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.",
"id": "GHSA-x5qj-644j-7xc7",
"modified": "2025-04-12T13:00:20Z",
"published": "2022-05-14T01:33:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8866"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=64938"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=de31324c221c1791b26350ba106cc26bad23ace9"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2750.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/04/24/1"
},
{
"type": "WEB",
"url": "http://www.php.net/ChangeLog-5.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/87470"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2952-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2952-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X64M-686F-FMM3
Vulnerability from github – Published: 2022-05-17 05:09 – Updated: 2024-05-21 20:17The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-1665"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-21T20:17:46Z",
"nvd_published_at": "2013-04-03T00:55:00Z",
"severity": "MODERATE"
},
"details": "The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
"id": "GHSA-x64m-686f-fmm3",
"modified": "2024-05-21T20:17:47Z",
"published": "2022-05-17T05:09:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1665"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1100279"
},
{
"type": "WEB",
"url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"
},
{
"type": "WEB",
"url": "http://bugs.python.org/issue17239"
},
{
"type": "WEB",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-1757-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2013/dsa-2634"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "XML External Entity (XXE) in Django"
}
GHSA-X6G4-FWCC-JJ8W
Vulnerability from github – Published: 2026-05-27 21:09 – Updated: 2026-05-27 21:09Description
symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit's HttpBrowser uses it to parse fetched pages.
Crawler::addXmlContent() sets DOMDocument::$validateOnParse = true before calling loadXML(). Setting validateOnParse re-enables libxml's DTD subset processing, including external entity resolution, even though LIBXML_NONET is passed. LIBXML_NONET blocks network fetches but not file:// entities. An attacker-supplied XML document with a SYSTEM "file:///etc/passwd" entity is therefore expanded.
Resolution
The Crawler::addXmlContent method does not set the validateOnParse flag anymore.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45071"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T21:09:44Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`symfony/dom-crawler` provides the `Crawler` class for navigating HTML/XML documents with CSS/XPath selectors; `symfony/browser-kit`\u0027s `HttpBrowser` uses it to parse fetched pages.\n\n`Crawler::addXmlContent()` sets `DOMDocument::$validateOnParse = true` before calling `loadXML()`. Setting `validateOnParse` re-enables libxml\u0027s DTD subset processing, including external entity resolution, even though `LIBXML_NONET` is passed. `LIBXML_NONET` blocks **network** fetches but not `file://` entities. An attacker-supplied XML document with a `SYSTEM \"file:///etc/passwd\"` entity is therefore expanded.\n\n### Resolution\n\nThe `Crawler::addXmlContent` method does not set the `validateOnParse` flag anymore.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.",
"id": "GHSA-x6g4-fwcc-jj8w",
"modified": "2026-05-27T21:09:45Z",
"published": "2026-05-27T21:09:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true"
}
GHSA-X6RC-54XP-CCXX
Vulnerability from github – Published: 2022-05-14 02:21 – Updated: 2025-07-18 17:25Withdrawn Advisory
This advisory has been withdrawn because further investgation revealed that this is not a security issue. This link is maintained to preserve external references.
Original Description
XML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.23.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.activemq:activemq-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.23.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-3208"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T20:17:45Z",
"nvd_published_at": "2017-07-25T18:29:00Z",
"severity": "CRITICAL"
},
"details": "## Withdrawn Advisory\nThis advisory has been withdrawn because further investgation revealed that this is not a security issue. This link is maintained to preserve external references.\n\n## Original Description\nXML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.",
"id": "GHSA-x6rc-54xp-ccxx",
"modified": "2025-07-18T17:25:20Z",
"published": "2022-05-14T02:21:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3208"
},
{
"type": "WEB",
"url": "https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1225252"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/07/24/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn Advisory: Improper Restriction of XML External Entity Reference in Apache ActiveMQ",
"withdrawn": "2025-07-18T17:25:20Z"
}
GHSA-X752-5HRQ-8PGC
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0.
{
"affected": [],
"aliases": [
"CVE-2018-12408"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-08T14:29:00Z",
"severity": "HIGH"
},
"details": "The BusinessWorks engine component of TIBCO Software Inc.\u0027s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0.",
"id": "GHSA-x752-5hrq-8pgc",
"modified": "2022-05-13T01:34:48Z",
"published": "2022-05-13T01:34:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12408"
},
{
"type": "WEB",
"url": "https://www.tibco.com/support/advisories/2018/08/tibco-security-advisory-august-7-2018-tibco-activematrix-businessworks"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105043"
},
{
"type": "WEB",
"url": "http://www.tibco.com/services/support/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7FX-4PM8-G98W
Vulnerability from github – Published: 2025-12-10 00:30 – Updated: 2025-12-10 00:30ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed.
{
"affected": [],
"aliases": [
"CVE-2025-61813"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T00:16:09Z",
"severity": "HIGH"
},
"details": "ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed.",
"id": "GHSA-x7fx-4pm8-g98w",
"modified": "2025-12-10T00:30:23Z",
"published": "2025-12-10T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61813"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.