CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-HJF3-R7GW-9RWG
Vulnerability from github – Published: 2018-07-24 20:00 – Updated: 2024-09-20 17:15Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "feedparser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-2921"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:40:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.",
"id": "GHSA-hjf3-r7gw-9rwg",
"modified": "2024-09-20T17:15:41Z",
"published": "2018-07-24T20:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2921"
},
{
"type": "WEB",
"url": "https://code.google.com/p/feedparser/source/browse/trunk/NEWS?spec=svn706\u0026r=706"
},
{
"type": "WEB",
"url": "https://code.google.com/p/feedparser/source/detail?r=703\u0026path=/trunk/feedparser/feedparser.py"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hjf3-r7gw-9rwg"
},
{
"type": "PACKAGE",
"url": "https://github.com/kurtmckee/feedparser"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/feedparser/PYSEC-2012-14.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20120604210617/http://www.securityfocus.com/bid/53654"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150523060531/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:118/?name=MDVSA-2013:118"
},
{
"type": "WEB",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0157"
},
{
"type": "WEB",
"url": "http://freecode.com/projects/feedparser/releases/344371"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "feedparser denial of service vulnerability"
}
GHSA-HM3G-XJP2-HW8Q
Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540.
{
"affected": [],
"aliases": [
"CVE-2017-1666"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-09T20:29:00Z",
"severity": "HIGH"
},
"details": "IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540.",
"id": "GHSA-hm3g-xjp2-hw8q",
"modified": "2022-05-14T03:47:37Z",
"published": "2022-05-14T03:47:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1666"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/133560"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22011970"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HM59-JVM9-5VJ7
Vulnerability from github – Published: 2025-07-08 21:30 – Updated: 2025-07-08 21:30ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.
{
"affected": [],
"aliases": [
"CVE-2025-49544"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T21:15:27Z",
"severity": "MODERATE"
},
"details": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.",
"id": "GHSA-hm59-jvm9-5vj7",
"modified": "2025-07-08T21:30:28Z",
"published": "2025-07-08T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49544"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HMHP-8P9W-M9G8
Vulnerability from github – Published: 2023-12-30 06:30 – Updated: 2024-01-05 21:30Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.
{
"affected": [],
"aliases": [
"CVE-2023-52252"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-30T06:15:43Z",
"severity": "CRITICAL"
},
"details": "Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.",
"id": "GHSA-hmhp-8p9w-m9g8",
"modified": "2024-01-05T21:30:32Z",
"published": "2023-12-30T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52252"
},
{
"type": "WEB",
"url": "https://harkenzo.tlstickle.com/2023-03-17-UR-Web-Triggerable-RCE"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51309"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMQ6-FRV3-4727
Vulnerability from github – Published: 2018-10-18 17:43 – Updated: 2022-09-14 00:10XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.dataformat:jackson-dataformat-xml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-3720"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:40:41Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.",
"id": "GHSA-hmq6-frv3-4727",
"modified": "2022-09-14T00:10:34Z",
"published": "2018-10-18T17:43:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3720"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hmq6-frv3-4727"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184561.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "jackson-dataformat-xml vulnerable to XML external entity (XXE)"
}
GHSA-HPGX-PFP3-82QV
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.
{
"affected": [],
"aliases": [
"CVE-2021-20502"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-30T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.",
"id": "GHSA-hpgx-pfp3-82qv",
"modified": "2022-05-24T17:45:43Z",
"published": "2022-05-24T17:45:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20502"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198059"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6437579"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HPM7-9WR3-CCFG
Vulnerability from github – Published: 2025-06-18 18:30 – Updated: 2025-06-18 18:30IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15
is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
{
"affected": [],
"aliases": [
"CVE-2025-36049"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T16:15:27Z",
"severity": "HIGH"
},
"details": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 \n\nis vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.",
"id": "GHSA-hpm7-9wr3-ccfg",
"modified": "2025-06-18T18:30:32Z",
"published": "2025-06-18T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36049"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7237146"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HQV6-VRP9-42X2
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2025-03-31 12:30Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
{
"affected": [],
"aliases": [
"CVE-2014-2052"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.",
"id": "GHSA-hqv6-vrp9-42x2",
"modified": "2025-03-31T12:30:44Z",
"published": "2022-05-17T19:57:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2052"
},
{
"type": "WEB",
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/66222"
},
{
"type": "WEB",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR2V-VC99-3C32
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
{
"affected": [],
"aliases": [
"CVE-2020-36124"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-07T11:15:00Z",
"severity": "MODERATE"
},
"details": "Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).",
"id": "GHSA-hr2v-vc99-3c32",
"modified": "2022-05-24T19:01:47Z",
"published": "2022-05-24T19:01:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36124"
},
{
"type": "WEB",
"url": "https://blog.pridesec.com.br/p/4c972078-5f01-419e-8bea-cf31ff2e3670"
},
{
"type": "WEB",
"url": "https://marketing.paxtechnology.com/about-pax"
},
{
"type": "WEB",
"url": "https://www.whatspos.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HR5M-P87F-R39Q
Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128377.
{
"affected": [],
"aliases": [
"CVE-2017-1458"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-05T21:29:00Z",
"severity": "HIGH"
},
"details": "IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128377.",
"id": "GHSA-hr5m-p87f-r39q",
"modified": "2022-05-14T01:05:31Z",
"published": "2022-05-14T01:05:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1458"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/128377"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22007551"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100638"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.