CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-FPQ4-MCF9-C5W9
Vulnerability from github – Published: 2022-05-17 05:02 – Updated: 2024-02-15 03:30The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
{
"affected": [],
"aliases": [
"CVE-2012-3489"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-10-03T21:55:00Z",
"severity": "MODERATE"
},
"details": "The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.",
"id": "GHSA-fpq4-mcf9-c5w9",
"modified": "2024-02-15T03:30:19Z",
"published": "2022-05-17T05:02:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3489"
},
{
"type": "WEB",
"url": "https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=849173"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1263.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50635"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50718"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50859"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50946"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2534"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:139"
},
{
"type": "WEB",
"url": "http://www.postgresql.org/about/news/1407"
},
{
"type": "WEB",
"url": "http://www.postgresql.org/docs/8.3/static/release-8-3-20.html"
},
{
"type": "WEB",
"url": "http://www.postgresql.org/docs/8.4/static/release-8-4-13.html"
},
{
"type": "WEB",
"url": "http://www.postgresql.org/docs/9.0/static/release-9-0-9.html"
},
{
"type": "WEB",
"url": "http://www.postgresql.org/docs/9.1/static/release-9-1-5.html"
},
{
"type": "WEB",
"url": "http://www.postgresql.org/support/security"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/55074"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1542-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQ34-JRJ4-RRGQ
Vulnerability from github – Published: 2022-05-14 01:55 – Updated: 2022-05-14 01:55A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
{
"affected": [],
"aliases": [
"CVE-2018-8494"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-10T13:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \"MS XML Remote Code Execution Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.",
"id": "GHSA-fq34-jrj4-rrgq",
"modified": "2022-05-14T01:55:58Z",
"published": "2022-05-14T01:55:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8494"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8494"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105457"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041844"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQ39-62GX-8HQX
Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-06-29 17:32In TYPO3 faceted fulltext search (ke_search), the OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. This has been patched in versions 7.0.1, 6.6.1, 5.6.2 and 4.6.7.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "tpwd/ke_search"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "tpwd/ke_search"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "tpwd/ke_search"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "tpwd/ke_search"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46722"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-29T17:32:26Z",
"nvd_published_at": "2026-05-19T10:16:25Z",
"severity": "MODERATE"
},
"details": "In TYPO3 faceted fulltext search (`ke_search`), the OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. This has been patched in versions 7.0.1, 6.6.1, 5.6.2 and 4.6.7.",
"id": "GHSA-fq39-62gx-8hqx",
"modified": "2026-06-29T17:32:26Z",
"published": "2026-05-19T12:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46722"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/tpwd/ke_search/CVE-2026-46722.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tpwd/ke_search"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "TYPO3 ke_search XML External Entity Injection"
}
GHSA-FQGG-8QCM-J2CR
Vulnerability from github – Published: 2025-04-17 00:30 – Updated: 2025-04-17 00:30Overview
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611)
Description
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference.
Impact
By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.
{
"affected": [],
"aliases": [
"CVE-2025-24911"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T23:15:45Z",
"severity": "MODERATE"
},
"details": "Overview \n\n\n\n\u00a0\n\n\n\nXML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611) \n\n\n\n\u00a0\n\n\n\nDescription \n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference. \n\n\n\n\u00a0\n\n\n\nImpact \n\n\n\n\u00a0\n\n\n\nBy submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.",
"id": "GHSA-fqgg-8qcm-j2cr",
"modified": "2025-04-17T00:30:26Z",
"published": "2025-04-17T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24911"
},
{
"type": "WEB",
"url": "https://support.pentaho.com/hc/en-us/articles/35783689016589--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24911"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQP3-633W-R5GJ
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.
{
"affected": [],
"aliases": [
"CVE-2017-11286"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-01T08:29:00Z",
"severity": "HIGH"
},
"details": "Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.",
"id": "GHSA-fqp3-633w-r5gj",
"modified": "2022-05-13T01:17:38Z",
"published": "2022-05-13T01:17:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11286"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100715"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039321"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQQP-7V7W-5XHP
Vulnerability from github – Published: 2025-09-29 06:30 – Updated: 2025-09-29 06:30A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-11140"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-29T04:15:40Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fqqp-7v7w-5xhp",
"modified": "2025-09-29T06:30:27Z",
"published": "2025-09-29T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11140"
},
{
"type": "WEB",
"url": "https://github.com/FightingLzn9/vul/blob/main/%E6%97%B6%E7%A9%BA%E6%99%BA%E5%8F%8Berp-3.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.326217"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.326217"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.658090"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FR47-W293-V3QJ
Vulnerability from github – Published: 2023-07-25 06:30 – Updated: 2024-04-04 06:20Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
{
"affected": [],
"aliases": [
"CVE-2023-32639"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-25T04:15:10Z",
"severity": "MODERATE"
},
"details": "Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.",
"id": "GHSA-fr47-w293-v3qj",
"modified": "2024-04-04T06:20:41Z",
"published": "2023-07-25T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32639"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN37857022"
},
{
"type": "WEB",
"url": "https://www.moj.go.jp/MINJI/minji06_00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR4X-V988-5548
Vulnerability from github – Published: 2023-06-13 12:30 – Updated: 2024-04-04 04:46Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed.
{
"affected": [],
"aliases": [
"CVE-2023-29498"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-13T10:15:10Z",
"severity": "MODERATE"
},
"details": "Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed.",
"id": "GHSA-fr4x-v988-5548",
"modified": "2024-04-04T04:46:13Z",
"published": "2023-06-13T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29498"
},
{
"type": "WEB",
"url": "https://felib.fujielectric.co.jp/download/details.htm?dataid=45829407\u0026site=global\u0026lang=en"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU97809354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR78-8877-W87J
Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
{
"affected": [],
"aliases": [
"CVE-2018-1000834"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "CRITICAL"
},
"details": "runelite version \u003c= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.",
"id": "GHSA-fr78-8877-w87j",
"modified": "2022-05-14T01:42:26Z",
"published": "2022-05-14T01:42:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000834"
},
{
"type": "WEB",
"url": "https://github.com/runelite/runelite/issues/6160"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/28/runelite-XXE-MitM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FRQP-FR6C-CW58
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2024-04-04 03:06The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
{
"affected": [],
"aliases": [
"CVE-2021-28973"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-13T17:15:00Z",
"severity": "MODERATE"
},
"details": "The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.",
"id": "GHSA-frqp-fr6c-cw58",
"modified": "2024-04-04T03:06:04Z",
"published": "2022-05-24T17:47:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28973"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/fileadmin/Research/Advisories/2021-01_CSNC-2021-005_Helix_ALM_XXE.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.