CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-J6V2-MWXM-F952
Vulnerability from github – Published: 2023-06-29 21:30 – Updated: 2023-07-06 21:39py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "py-xml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26709"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-30T20:36:36Z",
"nvd_published_at": "2023-06-29T21:15:09Z",
"severity": "HIGH"
},
"details": "py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.",
"id": "GHSA-j6v2-mwxm-f952",
"modified": "2023-07-06T21:39:34Z",
"published": "2023-06-29T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26709"
},
{
"type": "WEB",
"url": "https://github.com/PinaeOS/py-xml/issues/2"
},
{
"type": "PACKAGE",
"url": "https://github.com/PinaeOS/py-xml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/py-xml/PYSEC-2023-95.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "py-xml XML External Entity Injection vulnerability"
}
GHSA-J7H4-P7F6-R3RM
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.
{
"affected": [],
"aliases": [
"CVE-2019-18943"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-26T04:15:00Z",
"severity": "HIGH"
},
"details": "Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.",
"id": "GHSA-j7h4-p7f6-r3rm",
"modified": "2022-05-24T17:43:06Z",
"published": "2022-05-24T17:43:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18943"
},
{
"type": "WEB",
"url": "http://knowledgebase.serena.com/resources/sites/KNOWLEDGEBASE/content/live/SOLUTIONS/142000/S142001/en_US/sbm_11.7.1_security_bulletin.htm"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J7M6-XXHH-82QR
Vulnerability from github – Published: 2023-05-19 09:30 – Updated: 2023-05-19 09:30A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity reference. The associated identifier of this vulnerability is VDB-229411. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-2806"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-19T09:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity reference. The associated identifier of this vulnerability is VDB-229411. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-j7m6-xxhh-82qr",
"modified": "2023-05-19T09:30:21Z",
"published": "2023-05-19T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2806"
},
{
"type": "WEB",
"url": "https://github.com/Strangenees/e-cology/blob/main/main.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.229411"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.229411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J7VJ-XVHR-MPVF
Vulnerability from github – Published: 2022-05-17 02:57 – Updated: 2022-05-17 02:57An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
{
"affected": [],
"aliases": [
"CVE-2016-8348"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-13T21:59:00Z",
"severity": "CRITICAL"
},
"details": "An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.",
"id": "GHSA-j7vj-xvhr-mpvf",
"modified": "2022-05-17T02:57:09Z",
"published": "2022-05-17T02:57:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8348"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-334-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94587"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J898-7MVF-JVMR
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150170.
{
"affected": [],
"aliases": [
"CVE-2018-1821"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-13T16:29:00Z",
"severity": "CRITICAL"
},
"details": "IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150170.",
"id": "GHSA-j898-7mvf-jvmr",
"modified": "2022-05-13T01:32:37Z",
"published": "2022-05-13T01:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1821"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/150170"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46017"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10744149"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8FX-R46G-PR83
Vulnerability from github – Published: 2022-10-15 12:01 – Updated: 2022-10-15 12:01Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2022-42341"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-14T20:15:00Z",
"severity": "HIGH"
},
"details": "Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.",
"id": "GHSA-j8fx-r46g-pr83",
"modified": "2022-10-15T12:01:02Z",
"published": "2022-10-15T12:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42341"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb22-44.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J8VF-V36P-7QJW
Vulnerability from github – Published: 2022-05-14 01:37 – Updated: 2022-05-14 01:37An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information.
{
"affected": [],
"aliases": [
"CVE-2018-7837"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-24T16:29:00Z",
"severity": "HIGH"
},
"details": "An Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information.",
"id": "GHSA-j8vf-v36p-7qjw",
"modified": "2022-05-14T01:37:26Z",
"published": "2022-05-14T01:37:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7837"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106484"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J8XR-2279-88QJ
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-12-06 19:41Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. There is currently no known workaround or fix for this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "net.praqma:rqm-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41241"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-23T13:36:52Z",
"nvd_published_at": "2022-09-21T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. There is currently no known workaround or fix for this issue.",
"id": "GHSA-j8xr-2279-88qj",
"modified": "2022-12-06T19:41:02Z",
"published": "2022-09-22T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41241"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/rqm-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2805"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference"
}
GHSA-J9GX-W67P-W37R
Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2025-02-18 18:33This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the LoadImportedLibraries method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. Was ZDI-CAN-17394.
{
"affected": [],
"aliases": [
"CVE-2022-36969"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the LoadImportedLibraries method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. Was ZDI-CAN-17394.",
"id": "GHSA-j9gx-w67p-w37r",
"modified": "2025-02-18T18:33:01Z",
"published": "2023-03-29T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36969"
},
{
"type": "WEB",
"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J9RH-P96M-MHHP
Vulnerability from github – Published: 2026-05-04 15:31 – Updated: 2026-05-08 17:29Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup.
This issue affects jOpenDocument: 1.5.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jopendocument:jOpenDocument"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6501"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T17:29:26Z",
"nvd_published_at": "2026-05-04T15:16:05Z",
"severity": "MODERATE"
},
"details": "Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup.\n\nThis issue affects jOpenDocument: 1.5.",
"id": "GHSA-j9rh-p96m-mhhp",
"modified": "2026-05-08T17:29:26Z",
"published": "2026-05-04T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6501"
},
{
"type": "WEB",
"url": "https://www.jopendocument.org/documentation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "jOpenDocument has an improper restriction of XML external entity reference vulnerability"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.