CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-GCG5-H35M-25RV
Vulnerability from github – Published: 2024-11-12 21:30 – Updated: 2024-11-22 21:32XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence
{
"affected": [],
"aliases": [
"CVE-2024-10218"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T20:15:05Z",
"severity": "CRITICAL"
},
"details": "XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility),\u00a0monitoringconsolecommon.jar\u00a0in TIBCO Software Inc\u00a0TIBCO Hawk and\u00a0TIBCO Operational Intelligence",
"id": "GHSA-gcg5-h35m-25rv",
"modified": "2024-11-22T21:32:12Z",
"published": "2024-11-12T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10218"
},
{
"type": "WEB",
"url": "https://community.tibco.com/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:L/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:X/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-GCHV-364H-R896
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2023-10-13 21:07A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 only. Apache Jena 4.2.x and 4.3.x do not allow external entities.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.jena:jena"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.4.0"
]
}
],
"aliases": [
"CVE-2022-28890"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T20:52:33Z",
"nvd_published_at": "2022-05-05T09:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 only. Apache Jena 4.2.x and 4.3.x do not allow external entities.",
"id": "GHSA-gchv-364h-r896",
"modified": "2023-10-13T21:07:20Z",
"published": "2022-05-06T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28890"
},
{
"type": "PACKAGE",
"url": "https://gitbox.apache.org/repos/asf/jena.git"
},
{
"type": "WEB",
"url": "https://jena.apache.org/about_jena/security-advisories.html#cve-2022-28890---processing-external-dtds"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in apache jena"
}
GHSA-GCMC-57W6-9878
Vulnerability from github – Published: 2025-07-29 09:31 – Updated: 2025-07-29 09:31SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files.
{
"affected": [],
"aliases": [
"CVE-2025-26400"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-29T08:15:26Z",
"severity": "MODERATE"
},
"details": "SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files.",
"id": "GHSA-gcmc-57w6-9878",
"modified": "2025-07-29T09:31:12Z",
"published": "2025-07-29T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26400"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26400"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GCP6-QPVH-GGVF
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-04-04 02:45Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload.
{
"affected": [],
"aliases": [
"CVE-2019-19031"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-30T20:15:00Z",
"severity": "HIGH"
},
"details": "Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload.",
"id": "GHSA-gcp6-qpvh-ggvf",
"modified": "2024-04-04T02:45:54Z",
"published": "2022-05-24T17:05:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19031"
},
{
"type": "WEB",
"url": "https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155996/Easy-XML-Editor-1.7.8-XML-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GCQM-MJ95-PMJX
Vulnerability from github – Published: 2022-10-15 12:01 – Updated: 2022-10-15 12:01Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2022-38419"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.",
"id": "GHSA-gcqm-mj95-pmjx",
"modified": "2022-10-15T12:01:01Z",
"published": "2022-10-15T12:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38419"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb22-44.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GCX3-8MJ9-XGM6
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document.
{
"affected": [],
"aliases": [
"CVE-2021-20839"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-01T02:15:00Z",
"severity": "MODERATE"
},
"details": "Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document.",
"id": "GHSA-gcx3-8mj9-xgm6",
"modified": "2022-05-24T19:19:22Z",
"published": "2022-05-24T19:19:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20839"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN33453839/index.html"
},
{
"type": "WEB",
"url": "https://www.antenna.co.jp/news/2021/osdc72-20211027.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GCXJ-MHMW-GGHW
Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960.
{
"affected": [],
"aliases": [
"CVE-2016-9698"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-08T21:29:00Z",
"severity": "HIGH"
},
"details": "IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960.",
"id": "GHSA-gcxj-mhmw-gghw",
"modified": "2022-05-17T02:41:26Z",
"published": "2022-05-17T02:41:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9698"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/119522"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21999960"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22002258"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96829"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GF6F-95CV-MV72
Vulnerability from github – Published: 2022-05-14 03:06 – Updated: 2022-05-14 03:06Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML).
{
"affected": [],
"aliases": [
"CVE-2018-1000546"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-26T16:29:00Z",
"severity": "HIGH"
},
"details": "Triplea version \u003c= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML).",
"id": "GHSA-gf6f-95cv-mv72",
"modified": "2022-05-14T03:06:31Z",
"published": "2022-05-14T03:06:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000546"
},
{
"type": "WEB",
"url": "https://github.com/triplea-game/triplea/issues/3442"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/05/31/TripleA-XXE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GFQH-8V9Q-F2VF
Vulnerability from github – Published: 2023-12-13 12:30 – Updated: 2023-12-13 12:30An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the attacker and the server's file system.
{
"affected": [],
"aliases": [
"CVE-2023-6721"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-13T10:15:11Z",
"severity": "HIGH"
},
"details": "An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application\u0027s XML data processing in the fileupload function, resulting in interaction between the attacker and the server\u0027s file system.",
"id": "GHSA-gfqh-8v9q-f2vf",
"modified": "2023-12-13T12:30:42Z",
"published": "2023-12-13T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6721"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GG2J-6Q4V-8GCF
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584."
{
"affected": [],
"aliases": [
"CVE-2022-40747"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "CRITICAL"
},
"details": "\"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584.\"",
"id": "GHSA-gg2j-6q4v-8gcf",
"modified": "2022-11-04T19:01:15Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40747"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6829373"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.