Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-H975-R69H-4W9P

Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 20:46
VLAI
Summary
Insufficient user input in Apache Jetspeed-2
Details

** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.portals.jetspeed-2:jetspeed-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-32533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-611",
      "CWE-79",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-08T17:57:13Z",
    "nvd_published_at": "2022-07-06T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.",
  "id": "GHSA-h975-r69h-4w9p",
  "modified": "2022-07-15T20:46:57Z",
  "published": "2022-07-07T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32533"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient user input in Apache Jetspeed-2"
}

GHSA-H9FV-PF3W-2RH8

Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-19 00:00
VLAI
Details

In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-16T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Eclipse Sphinx\u2122 before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.",
  "id": "GHSA-h9fv-pf3w-2rh8",
  "modified": "2022-08-19T00:00:39Z",
  "published": "2022-08-17T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2838"
    },
    {
      "type": "WEB",
      "url": "https://bugs.eclipse.org/580542"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9GX-CVW7-JF96

Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-14 00:01
VLAI
Details

Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-04T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.",
  "id": "GHSA-h9gx-cvw7-jf96",
  "modified": "2022-05-14T00:01:31Z",
  "published": "2022-05-05T00:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29943"
    },
    {
      "type": "WEB",
      "url": "https://Talend.com"
    },
    {
      "type": "WEB",
      "url": "https://www.talend.com/security/incident-response/#CVE-2022-29942"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HC9X-XMWH-8232

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26
VLAI
Details

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-21T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.",
  "id": "GHSA-hc9x-xmwh-8232",
  "modified": "2022-05-24T17:26:21Z",
  "published": "2022-05-24T17:26:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24591"
    },
    {
      "type": "WEB",
      "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFJ4-XQ5F-7MC7

Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction \u0026 Internal file read in Business Central and also Kie-Server APIs.",
  "id": "GHSA-hfj4-xq5f-7mc7",
  "modified": "2022-08-16T00:00:23Z",
  "published": "2022-08-11T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2458"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107994#c0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFXG-757P-Q6W7

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-21T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.",
  "id": "GHSA-hfxg-757p-q6w7",
  "modified": "2022-05-24T17:48:05Z",
  "published": "2022-05-24T17:48:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20454"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196649"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6445481"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HG4J-XGV6-PCR2

Vulnerability from github – Published: 2025-06-09 18:32 – Updated: 2026-04-01 18:35
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-09T16:15:36Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2.",
  "id": "GHSA-hg4j-xgv6-pcr2",
  "modified": "2026-04-01T18:35:24Z",
  "published": "2025-06-09T18:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31039"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-xml-external-entity-xxe-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HG4V-R4M7-XJ5J

Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-07 21:30
VLAI
Details

An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-07T16:15:34Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.",
  "id": "GHSA-hg4v-r4m7-xj5j",
  "modified": "2025-01-07T21:30:55Z",
  "published": "2025-01-07T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46603"
    },
    {
      "type": "WEB",
      "url": "https://www.elspec-ltd.com/support/security-advisories"
    },
    {
      "type": "WEB",
      "url": "http://elspec.com"
    },
    {
      "type": "WEB",
      "url": "http://g5.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ3G-VW9V-9WJ4

Vulnerability from github – Published: 2026-05-29 21:31 – Updated: 2026-05-29 21:31
VLAI
Details

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-29T19:16:28Z",
    "severity": "LOW"
  },
  "details": "In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible",
  "id": "GHSA-hj3g-vw9v-9wj4",
  "modified": "2026-05-29T21:31:23Z",
  "published": "2026-05-29T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49383"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ5J-C8QP-MGMV

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02
VLAI
Details

In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-24T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
  "id": "GHSA-hj5j-c8qp-mgmv",
  "modified": "2024-04-04T01:02:40Z",
  "published": "2022-05-24T16:48:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/issues/186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/pull/262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2021-11"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4472"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4040-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4040-1"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K51011533"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190703-0001"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201911-08"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Jun/39"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.