Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-JQCQ-M297-WGGX

Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2025-04-20 03:38
VLAI
Details

SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-26T01:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.",
  "id": "GHSA-jqcq-m297-wggx",
  "modified": "2025-04-20T03:38:14Z",
  "published": "2022-05-14T00:56:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6256"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/42036"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/142597/SAP-Business-One-For-Android-1.2.3-XML-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98590"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQFV-JRVQ-95JM

Vulnerability from github – Published: 2024-10-09 12:30 – Updated: 2025-07-10 23:20
VLAI
Summary
Apache XML Graphics FOP XML External Entity Reference ('XXE') vulnerability
Details

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.

This issue affects Apache XML Graphics FOP: 2.9.

Users are recommended to upgrade to version 2.10, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.xmlgraphics:fop-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-09T15:26:12Z",
    "nvd_published_at": "2024-10-09T12:15:02Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability in Apache XML Graphics FOP.\n\nThis issue affects Apache XML Graphics FOP: 2.9.\n\nUsers are recommended to upgrade to version 2.10, which fixes the issue.",
  "id": "GHSA-jqfv-jrvq-95jm",
  "modified": "2025-07-10T23:20:07Z",
  "published": "2024-10-09T12:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28168"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/xmlgraphics-fop/commit/d96ba9a11710d02716b6f4f6107ebfa9ccec7134"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/xmlgraphics-fop"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/FOP-3168"
    },
    {
      "type": "WEB",
      "url": "https://xmlgraphics.apache.org/security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/10/09/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache XML Graphics FOP XML External Entity Reference (\u0027XXE\u0027) vulnerability"
}

GHSA-JQMR-2PG9-VFX7

Vulnerability from github – Published: 2026-01-05 15:32 – Updated: 2026-01-05 23:14
VLAI
Summary
Apache SIS has Improper Restriction of XML External Entity Reference vulnerability
Details

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS.

It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services:

  • Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG).

  • Parsing of ISO 19115 metadata in XML format.

  • Parsing of Coordinate Reference Systems defined in the GML format.

  • Parsing of files in GPS Exchange Format (GPX).

This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example:

java -Djavax.xml.accessExternalDTD="" ...

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.sis.core:sis-metadata"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4"
            },
            {
              "fixed": "1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T23:14:54Z",
    "nvd_published_at": "2026-01-05T14:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in Apache SIS.\n\n\n\nIt is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services:\n\n\n\n\n  *  Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG).\n\n  *  Parsing of ISO 19115 metadata in XML format.\n\n  *  Parsing of Coordinate Reference Systems defined in the GML format.\n\n  *  Parsing of files in GPS Exchange Format (GPX).\n\n\n\n\n\nThis issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example:\n\n\n\njava -Djavax.xml.accessExternalDTD=\"\" ...",
  "id": "GHSA-jqmr-2pg9-vfx7",
  "modified": "2026-01-05T23:14:54Z",
  "published": "2026-01-05T15:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68280"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/sis"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/s4ggy3zbtrrn93glgo2vn52lgcxk4bp4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/05/11"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/05/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache SIS has Improper Restriction of XML External Entity Reference vulnerability"
}

GHSA-JRV6-P293-PHJX

Vulnerability from github – Published: 2022-05-01 01:57 – Updated: 2024-02-08 21:30
VLAI
Details

The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-1306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-06-15T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the \"XML External Entity vulnerability.\"",
  "id": "GHSA-jrv6-p293-phjx",
  "modified": "2024-02-08T21:30:31Z",
  "published": "2022-05-01T01:57:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1306"
    },
    {
      "type": "WEB",
      "url": "http://www.adobe.com/support/techdocs/331710.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/13962"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVF2-RRQ7-V6RF

Vulnerability from github – Published: 2022-05-14 01:50 – Updated: 2022-05-14 01:50
VLAI
Details

An XXE issue was discovered in Douchat 4.0.4 because Data\notify.php calls simplexml_load_string. This can also be used for SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-29T12:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XXE issue was discovered in Douchat 4.0.4 because Data\\notify.php calls simplexml_load_string. This can also be used for SSRF.",
  "id": "GHSA-jvf2-rrq7-v6rf",
  "modified": "2022-05-14T01:50:10Z",
  "published": "2022-05-14T01:50:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AvaterXXX/douchat/blob/master/xxe.md#xxe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVFV-HRRC-6Q72

Vulnerability from github – Published: 2022-03-05 00:00 – Updated: 2025-11-03 22:28
VLAI
Summary
Improper Restriction of XML External Entity Reference in Liquibase
Details

The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.liquibase:liquibase-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-07T16:29:11Z",
    "nvd_published_at": "2022-03-04T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.",
  "id": "GHSA-jvfv-hrrc-6q72",
  "modified": "2025-11-03T22:28:08Z",
  "published": "2022-03-05T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liquibase/liquibase"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Liquibase"
}

GHSA-JVJM-J945-8QWC

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-10-27 13:11
VLAI
Summary
XXE vulnerability in Jenkins Visualworks Store Plugin
Details

Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the output of a script that run Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Visualworks Store Plugin 1.1.4 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:visualworks-store"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-22T13:44:43Z",
    "nvd_published_at": "2020-11-04T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with the ability to control the output of a script that run Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Visualworks Store Plugin 1.1.4 disables external entity resolution for its XML parser.",
  "id": "GHSA-jvjm-j945-8qwc",
  "modified": "2023-10-27T13:11:14Z",
  "published": "2022-05-24T17:33:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/visualworks-store-plugin/commit/267bb709c3412f6517b4631c867d16eb72af6d69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/visualworks-store-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1900"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Visualworks Store Plugin"
}

GHSA-JVMF-FPMJ-52R5

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31
VLAI
Details

Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. Was ZDI-CAN-18591.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:16:21Z",
    "severity": "MODERATE"
  },
  "details": "Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. Was ZDI-CAN-18591.",
  "id": "GHSA-jvmf-fpmj-52r5",
  "modified": "2024-05-03T03:31:08Z",
  "published": "2024-05-03T03:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51602"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1851"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVQM-W56M-W3J7

Vulnerability from github – Published: 2025-01-18 00:30 – Updated: 2025-01-21 18:31
VLAI
Details

In multiple functions of MiniThumbFile.java, there is a possible way to view the thumbnails of deleted photos due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-17T23:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In multiple functions of MiniThumbFile.java, there is a possible way to view the thumbnails of deleted photos due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-jvqm-w56m-w3j7",
  "modified": "2025-01-21T18:31:06Z",
  "published": "2025-01-18T00:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9379"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVVX-4FHR-XXQV

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-17T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Zimbra Collaboration Suite Network Edition versions \u003c 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17.",
  "id": "GHSA-jvvx-4fhr-xxqv",
  "modified": "2022-05-24T17:36:45Z",
  "published": "2022-05-24T17:36:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35123"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P17"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P10"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.