CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-G3J3-J629-PW89
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-10 21:30Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. This vulnerability allows an attacker to provide malicious XML input containing a reference to an external entity, leading to data disclosure or potentially code execution. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.
{
"affected": [],
"aliases": [
"CVE-2024-49535"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T20:15:18Z",
"severity": "MODERATE"
},
"details": "Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution. This vulnerability allows an attacker to provide malicious XML input containing a reference to an external entity, leading to data disclosure or potentially code execution. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.",
"id": "GHSA-g3j3-j629-pw89",
"modified": "2024-12-10T21:30:52Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49535"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb24-92.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G3M4-2WR6-2Q64
Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2025-10-22 00:33SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
{
"affected": [],
"aliases": [
"CVE-2025-2775"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T15:15:57Z",
"severity": "CRITICAL"
},
"details": "SysAid On-Prem versions \u003c= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.",
"id": "GHSA-g3m4-2wr6-2q64",
"modified": "2025-10-22T00:33:18Z",
"published": "2025-05-07T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2775"
},
{
"type": "WEB",
"url": "https://documentation.sysaid.com/docs/24-40-60"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2775"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G3RP-9M2C-VRWM
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.
The specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the SYSTEM. Was ZDI-CAN-17571.
{
"affected": [],
"aliases": [
"CVE-2023-39472"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:13Z",
"severity": "MODERATE"
},
"details": "Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the SYSTEM. Was ZDI-CAN-17571.",
"id": "GHSA-g3rp-9m2c-vrwm",
"modified": "2024-05-03T03:30:56Z",
"published": "2024-05-03T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39472"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1048"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G436-FJ5G-4GW9
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-20 19:00An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.
{
"affected": [],
"aliases": [
"CVE-2022-3338"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-18T10:15:00Z",
"severity": "MODERATE"
},
"details": "An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.",
"id": "GHSA-g436-fj5g-4gw9",
"modified": "2022-10-20T19:00:36Z",
"published": "2022-10-18T12:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3338"
},
{
"type": "WEB",
"url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10387"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G43X-PCC9-F472
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-12-05 22:12Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.14"
},
"package": {
"ecosystem": "Maven",
"name": "com.compuware.jenkins:compuware-common-configuration"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41226"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-23T13:29:17Z",
"nvd_published_at": "2022-09-21T16:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-g43x-pcc9-f472",
"modified": "2022-12-05T22:12:31Z",
"published": "2022-09-22T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41226"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/compuware-common-configuration-plugin/pull/24"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/compuware-common-configuration-plugin/commit/351a46798cdc10479cb6966f05a51bc2174806a0"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/compuware-common-configuration-plugin/commit/8410fd5e0a619200f5bc2e906ecba940e8506436"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/compuware-common-configuration-plugin/commit/a92f1fba5ab375cfcceed92a16666a4c709e0f3b"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/compuware-common-configuration-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2832"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Compuware Common Configuration Plugin vulnerable to Improper Restriction of XML External Entity Reference"
}
GHSA-G4C3-4F3V-84X8
Vulnerability from github – Published: 2023-07-12 18:30 – Updated: 2023-07-20 14:15Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
External Monitor Job Type Plugin 207.v98a_a_37a_85525 disables external entity resolution for its XML parser.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:external-monitor-job"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "207.v98a"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37942"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-12T19:49:45Z",
"nvd_published_at": "2023-07-12T16:15:13Z",
"severity": "MODERATE"
},
"details": "Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nExternal Monitor Job Type Plugin 207.v98a_a_37a_85525 disables external entity resolution for its XML parser.",
"id": "GHSA-g4c3-4f3v-84x8",
"modified": "2023-07-20T14:15:36Z",
"published": "2023-07-12T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37942"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3133"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/12/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins External Monitor Job Type Plugin XML external entity vulnerability"
}
GHSA-G4C9-7PF2-8RVC
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147709.
{
"affected": [],
"aliases": [
"CVE-2018-1730"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-05T17:29:00Z",
"severity": "HIGH"
},
"details": "IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147709.",
"id": "GHSA-g4c9-7pf2-8rvc",
"modified": "2022-05-13T01:32:55Z",
"published": "2022-05-13T01:32:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1730"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/147709"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10742741\u0026myns=swgother\u0026mynp=OCSSBQAC\u0026mync=E\u0026cm_sp=swgother-_-OCSSBQAC-_-E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G4HQ-749C-P7FV
Vulnerability from github – Published: 2022-05-17 02:54 – Updated: 2022-05-17 02:54XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2016-4931"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-20T20:59:00Z",
"severity": "MODERATE"
},
"details": "XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service.",
"id": "GHSA-g4hq-749c-p7fv",
"modified": "2022-05-17T02:54:28Z",
"published": "2022-05-17T02:54:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4931"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10760"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93540"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G4R8-28FP-F255
Vulnerability from github – Published: 2023-01-05 12:30 – Updated: 2024-02-13 21:47A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function ResponseParser of the file src/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulation leads to xml external entity reference. Upgrading to version 1.12.1 is able to address this issue. The name of the patch is ad6615b3ec41353e614f6ea5fdd5b046442a832b. It is recommended to upgrade the affected component. VDB-217450 is the identifier assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "fr.turri:aXMLRPC"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36641"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-11T23:48:32Z",
"nvd_published_at": "2023-01-05T12:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function `ResponseParser` of the file `src/main/java/de/timroes/axmlrpc/ResponseParser.java`. The manipulation leads to xml external entity reference. Upgrading to version 1.12.1 is able to address this issue. The name of the patch is ad6615b3ec41353e614f6ea5fdd5b046442a832b. It is recommended to upgrade the affected component. VDB-217450 is the identifier assigned to this vulnerability.",
"id": "GHSA-g4r8-28fp-f255",
"modified": "2024-02-13T21:47:52Z",
"published": "2023-01-05T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36641"
},
{
"type": "WEB",
"url": "https://github.com/gturri/aXMLRPC/commit/456752ebc1ef4c0db980cb5b01a0b3cd0a9e0bae"
},
{
"type": "WEB",
"url": "https://github.com/gturri/aXMLRPC/commit/ad6615b3ec41353e614f6ea5fdd5b046442a832b"
},
{
"type": "PACKAGE",
"url": "https://github.com/gturri/aXMLRPC"
},
{
"type": "WEB",
"url": "https://github.com/gturri/aXMLRPC/releases/tag/aXMLRPC-1.12.1"
},
{
"type": "WEB",
"url": "https://github.com/gturri/aXMLRPC/releases/tag/aXMLRPC-1.14.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217450"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217450"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "aXMLRPC XML External Entity vulnerability"
}
GHSA-G536-463C-Q7R3
Vulnerability from github – Published: 2025-06-30 21:30 – Updated: 2025-09-24 21:30Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.
{
"affected": [],
"aliases": [
"CVE-2025-49493"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-30T20:15:25Z",
"severity": "MODERATE"
},
"details": "Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.",
"id": "GHSA-g536-463c-q7r3",
"modified": "2025-09-24T21:30:31Z",
"published": "2025-06-30T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49493"
},
{
"type": "WEB",
"url": "https://github.com/SystemVll/CVE-2025-49493"
},
{
"type": "WEB",
"url": "https://techdocs.akamai.com/cloudtest/changelog/june-2-2025-enhancements-and-bug-fixes"
},
{
"type": "WEB",
"url": "https://www.akamai.com/products/cloudtest"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.