CWE-776
AllowedImproper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Abstraction: Base · Status: Draft
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
142 vulnerabilities reference this CWE, most recent first.
GHSA-XRFM-M363-M483
Vulnerability from github – Published: 2026-05-12 21:31 – Updated: 2026-05-12 21:31A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.
NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x
{
"affected": [],
"aliases": [
"CVE-2026-23822"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T19:16:28Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.\n\n\n\n\n\n\n\n\nNOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x",
"id": "GHSA-xrfm-m363-m483",
"modified": "2026-05-12T21:31:33Z",
"published": "2026-05-12T21:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23822"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us\u0026docLocale=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XVM2-9XVC-HX7F
Vulnerability from github – Published: 2022-03-02 21:30 – Updated: 2022-03-10 15:48Impact
Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.
Patches
Upgrade to version 2.1.0.
Workarounds
No known workaround.
References
https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73
For more information
If you have any questions or comments about this advisory: * Open an issue in monitorjbl/excel-streaming-reader
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.monitorjbl:xlsx-streamer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23640"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-02T21:30:54Z",
"nvd_published_at": "2022-03-02T20:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nPrior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.\n\n### Patches\nUpgrade to version 2.1.0.\n\n### Workarounds\nNo known workaround.\n\n### References\nhttps://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [monitorjbl/excel-streaming-reader](https://github.com/monitorjbl/excel-streaming-reader)\n\n",
"id": "GHSA-xvm2-9xvc-hx7f",
"modified": "2022-03-10T15:48:44Z",
"published": "2022-03-02T21:30:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/monitorjbl/excel-streaming-reader/security/advisories/GHSA-xvm2-9xvc-hx7f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23640"
},
{
"type": "WEB",
"url": "https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73"
},
{
"type": "WEB",
"url": "https://github.com/monitorjbl/excel-streaming-reader"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer"
}
Mitigation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Mitigation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
CAPEC-197: Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.