CWE-91
Allowed-with-ReviewXML Injection (aka Blind XPath Injection)
Abstraction: Base · Status: Draft
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
190 vulnerabilities reference this CWE, most recent first.
GHSA-5P4V-RPM8-M6G3
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:09Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.
{
"affected": [],
"aliases": [
"CVE-2019-0370"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-08T20:15:00Z",
"severity": "MODERATE"
},
"details": "Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.",
"id": "GHSA-5p4v-rpm8-m6g3",
"modified": "2024-04-04T02:09:32Z",
"published": "2022-05-24T16:57:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0370"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2806403"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5PJJ-7FQ8-9GPF
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2025-11-07 23:16Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7-p1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.3.7"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.2-p1"
},
{
"fixed": "2.4.2-p2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.2"
]
}
],
"aliases": [
"CVE-2021-36028"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-07T23:16:16Z",
"nvd_published_at": "2021-09-01T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.",
"id": "GHSA-5pjj-7fq8-9gpf",
"modified": "2025-11-07T23:16:16Z",
"published": "2022-05-24T19:12:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36028"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Magento has an XML Injection vulnerability"
}
GHSA-5WM8-GMM8-39J9
Vulnerability from github – Published: 2026-05-08 16:29 – Updated: 2026-05-14 20:37Summary
When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.
Detail
Malicious Input
{
a: {
"@_attr": '" onClick="alert(1)'
}
}
Output
<a attr="" onClick="alert(1)"></a>
Workarounds
If you're not ignoring attributes then keep processEntities flag true.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.6"
},
"package": {
"ecosystem": "npm",
"name": "fast-xml-builder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44665"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T16:29:10Z",
"nvd_published_at": "2026-05-13T16:16:59Z",
"severity": "HIGH"
},
"details": "# Summary\nWhen an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.\n\n## Detail\n\nMalicious Input\n```\n{\n a: {\n \"@_attr\": \u0027\" onClick=\"alert(1)\u0027\n }\n}\n```\n\nOutput\n```xml\n\u003ca attr=\"\" onClick=\"alert(1)\"\u003e\u003c/a\u003e\n```\n\n### Workarounds\nIf you\u0027re not ignoring attributes then keep processEntities flag true.",
"id": "GHSA-5wm8-gmm8-39j9",
"modified": "2026-05-14T20:37:36Z",
"published": "2026-05-08T16:29:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44665"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-builder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes"
}
GHSA-62HX-72QC-GR7J
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38An XML injection vulnerability in Junos OS CLI can allow a locally authenticated user to elevate privileges and run arbitrary commands as the root user. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47, 15.1 prior to 15.1R3. Junos versions prior to 15.1 are not affected. No other Juniper Networks products or platforms are affected by this issue.
{
"affected": [],
"aliases": [
"CVE-2017-10603"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "An XML injection vulnerability in Junos OS CLI can allow a locally authenticated user to elevate privileges and run arbitrary commands as the root user. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47, 15.1 prior to 15.1R3. Junos versions prior to 15.1 are not affected. No other Juniper Networks products or platforms are affected by this issue.",
"id": "GHSA-62hx-72qc-gr7j",
"modified": "2022-05-13T01:38:22Z",
"published": "2022-05-13T01:38:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10603"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10805"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038901"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-685X-R4M9-FFXR
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-03-12 00:30ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
{
"affected": [],
"aliases": [
"CVE-2020-29599"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-07T20:15:00Z",
"severity": "HIGH"
},
"details": "ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.",
"id": "GHSA-685x-r4m9-ffxr",
"modified": "2023-03-12T00:30:15Z",
"published": "2022-05-24T17:35:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29599"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/discussions/2851"
},
{
"type": "WEB",
"url": "https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00010.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69Q2-P9XP-739V
Vulnerability from github – Published: 2021-04-20 16:32 – Updated: 2024-10-09 20:47Duplicate Advisory
This advisoerey has been withdrawn because it is a duplicate of GHSA-f5gc-p5m3-v347. This link is maintained to preserve external references.
Original Description
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "petl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-13T19:20:39Z",
"nvd_published_at": "2020-11-26T05:15:00Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\nThis advisoerey has been withdrawn because it is a duplicate of GHSA-f5gc-p5m3-v347. This link is maintained to preserve external references.\n\n## Original Description\npetl before 1.68, in some configurations, allows resolution of entities in an XML document.",
"id": "GHSA-69q2-p9xp-739v",
"modified": "2024-10-09T20:47:36Z",
"published": "2021-04-20T16:32:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/petl-developers/petl/security/advisories/GHSA-f5gc-p5m3-v347"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29128"
},
{
"type": "WEB",
"url": "https://github.com/petl-developers/petl/issues/526"
},
{
"type": "WEB",
"url": "https://github.com/petl-developers/petl/pull/527"
},
{
"type": "WEB",
"url": "https://github.com/petl-developers/petl/commit/07420ef8463cc387aea84e2d6241cf556574e2a5"
},
{
"type": "WEB",
"url": "https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/petl-developers/petl"
},
{
"type": "WEB",
"url": "https://github.com/petl-developers/petl/compare/v1.6.7...v1.6.8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/petl/PYSEC-2020-75.yaml"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing"
},
{
"type": "WEB",
"url": "https://petl.readthedocs.io/en/stable/changes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: XML Injection in petl",
"withdrawn": "2024-10-09T20:47:08Z"
}
GHSA-6CR4-774R-VPP6
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access.
{
"affected": [],
"aliases": [
"CVE-2025-54251"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:15:59Z",
"severity": "MODERATE"
},
"details": "Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access.",
"id": "GHSA-6cr4-774r-vpp6",
"modified": "2025-09-09T18:31:21Z",
"published": "2025-09-09T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54251"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6PCC-3RFX-4GPM
Vulnerability from github – Published: 2018-10-16 17:01 – Updated: 2022-04-26 18:43dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.dom4j:dom4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.dom4j:dom4j"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "dom4j:dom4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000632"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:19:56Z",
"nvd_published_at": "2018-08-20T19:31:00Z",
"severity": "HIGH"
},
"details": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.\n\nNote: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.",
"id": "GHSA-6pcc-3rfx-4gpm",
"modified": "2022-04-26T18:43:56Z",
"published": "2018-10-16T17:01:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000632"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/issues/48"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190530-0001"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E"
},
{
"type": "WEB",
"url": "https://ihacktoprotect.com/post/dom4j-xml-injection"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-6pcc-3rfx-4gpm"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3172"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1162"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1161"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1160"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1159"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0380"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0365"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0364"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0362"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Dom4j contains a XML Injection vulnerability"
}
GHSA-6V78-5565-Q7F5
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 18:31Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted XML file. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11169"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:23Z",
"severity": "HIGH"
},
"details": "Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted XML file. (Chromium security severity: Medium)",
"id": "GHSA-6v78-5565-q7f5",
"modified": "2026-06-05T18:31:37Z",
"published": "2026-06-05T00:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11169"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/502285273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-764H-R5XF-7CF5
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\platypus\paraparser.py (reached via bscw.cgi op=_editfolder.EditFolder) calls eval on attacker-supplied Python code. This is fixed in 5.0.12, 5.1.10, 5.2.4, 7.3.3, and 7.4.3.
{
"affected": [],
"aliases": [
"CVE-2021-36359"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T05:15:00Z",
"severity": "HIGH"
},
"details": "OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\\platypus\\paraparser.py (reached via bscw.cgi op=_editfolder.EditFolder) calls eval on attacker-supplied Python code. This is fixed in 5.0.12, 5.1.10, 5.2.4, 7.3.3, and 7.4.3.",
"id": "GHSA-764h-r5xf-7cf5",
"modified": "2022-05-24T19:12:33Z",
"published": "2022-05-24T19:12:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36359"
},
{
"type": "WEB",
"url": "https://www.bscw.de/en/company"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/163988/BSCW-Server-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Aug/23"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.