Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-F8P4-3GJ8-2GXJ

Vulnerability from github – Published: 2026-02-17 18:32 – Updated: 2026-02-17 18:32
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-17T18:20:29Z",
    "severity": "HIGH"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-f8p4-3gj8-2gxj",
  "modified": "2026-02-17T18:32:58Z",
  "published": "2026-02-17T18:32:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36247"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7259961"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8V5-2G96-J9MQ

Vulnerability from github – Published: 2023-11-06 03:30 – Updated: 2024-10-29 21:30
VLAI
Details

e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-06T02:15:07Z",
    "severity": "MODERATE"
  },
  "details": "e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.",
  "id": "GHSA-f8v5-2g96-j9mq",
  "modified": "2024-10-29T21:30:43Z",
  "published": "2023-11-06T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46802"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN14762986"
    },
    {
      "type": "WEB",
      "url": "https://www.e-tax.nta.go.jp/topics/topics_20231102.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8V8-JQRR-5MHQ

Vulnerability from github – Published: 2024-11-27 00:31 – Updated: 2024-11-27 00:31
VLAI
Details

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-26T22:15:18Z",
    "severity": "HIGH"
  },
  "details": "An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.",
  "id": "GHSA-f8v8-jqrr-5mhq",
  "modified": "2024-11-27T00:31:41Z",
  "published": "2024-11-27T00:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53674"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US\u0026docId=hpesbgn04731en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F93F-G33R-8PCP

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2024-02-27 23:55
VLAI
Summary
Improper Restriction of XML External Entity Reference in Spring Framework
Details

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-webmvc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-webmvc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-0225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:58:08Z",
    "nvd_published_at": "2017-05-25T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.",
  "id": "GHSA-f93f-g33r-8pcp",
  "modified": "2024-02-27T23:55:20Z",
  "published": "2022-05-13T01:02:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/44ee51a6c9c3734b3fcf9a20817117e86047d753"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb"
    },
    {
      "type": "WEB",
      "url": "https://jira.spring.io/browse/SPR-11768"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2014-0225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Spring Framework"
}

GHSA-FC4V-2946-8QGV

Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01
VLAI
Details

ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-09T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.",
  "id": "GHSA-fc4v-2946-8qgv",
  "modified": "2022-05-14T03:01:32Z",
  "published": "2022-05-14T03:01:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000614"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.onosproject.org/#/c/18779"
    },
    {
      "type": "WEB",
      "url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FC7R-QXMJ-FF6J

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, an XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard. Privileged users can in some cases upload malformed XML leading to exposure of data on the Single Sign-On service broker file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-09T01:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, an XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard. Privileged users can in some cases upload malformed XML leading to exposure of data on the Single Sign-On service broker file system.",
  "id": "GHSA-fc7r-qxmj-ff6j",
  "modified": "2022-05-13T01:07:04Z",
  "published": "2022-05-13T01:07:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8040"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2017-8040"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100617"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FCQJ-76G3-Q7QM

Vulnerability from github – Published: 2026-01-07 21:31 – Updated: 2026-03-19 21:06
VLAI
Summary
Bio-Formats has an XML External Entity (XXE) vulnerability
Details

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ome:pom-bio-formats"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-08T17:33:26Z",
    "nvd_published_at": "2026-01-07T21:16:02Z",
    "severity": "MODERATE"
  },
  "details": "Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.",
  "id": "GHSA-fcqj-76g3-q7qm",
  "modified": "2026-03-19T21:06:48Z",
  "published": "2026-01-07T21:31:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22186"
    },
    {
      "type": "WEB",
      "url": "https://docs.openmicroscopy.org/bio-formats"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ome/bioformats"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2026/Jan/6"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bio-Formats has an XML External Entity (XXE) vulnerability"
}

GHSA-FCRX-8829-JPQX

Vulnerability from github – Published: 2022-04-01 00:00 – Updated: 2022-04-01 19:59
VLAI
Summary
Improper Restriction of XML External Entity Reference in wutka jox
Details

An XML External Entity (XXE) vulnerability exists in wutka jox 1.16 in the readObject method in JOXSAXBeanInput.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.wutka:jox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T19:59:52Z",
    "nvd_published_at": "2022-03-30T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An XML External Entity (XXE) vulnerability exists in wutka jox 1.16 in the readObject method in JOXSAXBeanInput.",
  "id": "GHSA-fcrx-8829-jpqx",
  "modified": "2022-04-01T19:59:52Z",
  "published": "2022-04-01T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43142"
    },
    {
      "type": "WEB",
      "url": "https://novysodope.github.io/2021/10/29/64"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper Restriction of XML External Entity Reference in wutka jox"
}

GHSA-FF42-CCP4-HWCV

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-13T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines.",
  "id": "GHSA-ff42-ccp4-hwcv",
  "modified": "2022-05-24T19:11:03Z",
  "published": "2022-05-24T19:11:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34823"
    },
    {
      "type": "WEB",
      "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29105"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FFX8-Q4QJ-8VMR

Vulnerability from github – Published: 2025-08-28 00:30 – Updated: 2025-08-28 21:31
VLAI
Details

Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data containing external entity definitions, leading to potential disclosure of internal files, server-side request forgery (SSRF), or other impacts depending on parser behavior. The vulnerability is due to improper configuration of the XML parser, which allows resolution of external entities without restriction. This product is now integrated into their IAM (Internet Access Management) platform and an affected version range is undefined.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-27T22:15:32Z",
    "severity": "HIGH"
  },
  "details": "Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data containing external entity definitions, leading to potential disclosure of internal files, server-side request forgery (SSRF), or other impacts depending on parser behavior. The vulnerability is due to improper configuration of the XML parser, which allows resolution of external entities without restriction. This product is now\u00a0integrated into their IAM (Internet Access Management) platform and an affected version range is undefined.",
  "id": "GHSA-ffx8-q4qj-8vmr",
  "modified": "2025-08-28T21:31:25Z",
  "published": "2025-08-28T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7307"
    },
    {
      "type": "WEB",
      "url": "https://support.sangfor.com.cn/productDocument/read?product_id=22\u0026version_id=329\u0026category_id=261800"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/pursue-security/p/17666126.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sangfor.com/blog/cybersecurity/launching-sangfor-iam-12-0-23-manage-risky-shadow-it-right-way"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sangfor-behavior-management-system-xml-external-entity-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.