CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1692 vulnerabilities reference this CWE, most recent first.
GHSA-MH83-JCW5-RJH8
Vulnerability from github – Published: 2022-01-14 21:07 – Updated: 2022-01-20 15:33The TransformXML() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "edu.stanford.nlp:stanford-corenlp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0198"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-14T20:54:24Z",
"nvd_published_at": "2022-01-13T07:15:00Z",
"severity": "MODERATE"
},
"details": "The TransformXML() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks.",
"id": "GHSA-mh83-jcw5-rjh8",
"modified": "2022-01-20T15:33:35Z",
"published": "2022-01-14T21:07:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0198"
},
{
"type": "WEB",
"url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
},
{
"type": "WEB",
"url": "https://github.com/stanfordnlp/corenlp"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in edu.stanford.nlp:stanford-corenlp"
}
GHSA-MHHF-PCPV-XQQQ
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2024-09-18 21:30An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem.
{
"affected": [],
"aliases": [
"CVE-2022-22835"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:45:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem.",
"id": "GHSA-mhhf-pcpv-xqqq",
"modified": "2024-09-18T21:30:37Z",
"published": "2022-03-11T00:02:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22835"
},
{
"type": "WEB",
"url": "https://labs.yarix.com/2022/03/overit-framework-xslt-injection-and-xxe-cve-2022-22834-cve-2022-22835"
},
{
"type": "WEB",
"url": "https://labs.yarix.com/advisories/cve-2022-22835"
},
{
"type": "WEB",
"url": "https://overit.us/products/geocall"
},
{
"type": "WEB",
"url": "https://www.overit.ai/product/nextgen-fsm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MHJW-PXQP-CM9C
Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2024-04-04 06:02A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server.
{
"affected": [],
"aliases": [
"CVE-2023-37200"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T08:15:10Z",
"severity": "MODERATE"
},
"details": "\nA CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that\ncould cause loss of confidentiality when replacing a project file on the local filesystem and after\nmanual restart of the server. \n\n\n",
"id": "GHSA-mhjw-pxqp-cm9c",
"modified": "2024-04-04T06:02:20Z",
"published": "2023-07-12T09:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37200"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-192-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-192-02.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MHMR-F673-JQV8
Vulnerability from github – Published: 2022-05-17 02:24 – Updated: 2022-05-17 02:24The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [],
"aliases": [
"CVE-2016-7460"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-29T09:59:00Z",
"severity": "CRITICAL"
},
"details": "The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-mhmr-f673-jqv8",
"modified": "2022-05-17T02:24:34Z",
"published": "2022-05-17T02:24:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7460"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94485"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037327"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037329"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2016-0022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHPC-25WR-QCWQ
Vulnerability from github – Published: 2022-05-17 02:26 – Updated: 2022-05-17 02:26IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 123859.
{
"affected": [],
"aliases": [
"CVE-2017-1219"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-19T20:29:00Z",
"severity": "MODERATE"
},
"details": "IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 123859.",
"id": "GHSA-mhpc-25wr-qcwq",
"modified": "2022-05-17T02:26:22Z",
"published": "2022-05-17T02:26:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1219"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/123859"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22006014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHPX-3RV8-WRJM
Vulnerability from github – Published: 2024-06-07 21:16 – Updated: 2024-06-07 21:16Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:
- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T21:16:36Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Numerous components utilizing PHP\u0027s `DOMDocument`, `SimpleXML`, and `xml_parse` functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.\n",
"id": "GHSA-mhpx-3rv8-wrjm",
"modified": "2024-06-07T21:16:36Z",
"published": "2024-06-07T21:16:36Z",
"references": [
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-01.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zendframework/zf1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ZendFramework potential XML eXternal Entity injection vectors"
}
GHSA-MHQM-WG7C-PGWH
Vulnerability from github – Published: 2022-05-14 01:40 – Updated: 2022-05-14 01:40An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.
{
"affected": [],
"aliases": [
"CVE-2018-20318"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-21T00:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.",
"id": "GHSA-mhqm-wg7c-pgwh",
"modified": "2022-05-14T01:40:23Z",
"published": "2022-05-14T01:40:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20318"
},
{
"type": "WEB",
"url": "https://github.com/Wechat-Group/weixin-java-tools/issues/889"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHXG-PCMJ-CHVJ
Vulnerability from github – Published: 2022-05-17 00:36 – Updated: 2022-05-17 00:36IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 130156.
{
"affected": [],
"aliases": [
"CVE-2017-1527"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-26T17:29:00Z",
"severity": "HIGH"
},
"details": "IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 130156.",
"id": "GHSA-mhxg-pcmj-chvj",
"modified": "2022-05-17T00:36:07Z",
"published": "2022-05-17T00:36:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1527"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/130156"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22007346"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100959"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJ5V-GGJC-48P5
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2023-10-27 16:04Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.1.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:dependency-check-jenkins-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43577"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T16:41:14Z",
"nvd_published_at": "2021-11-12T11:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-mj5v-ggjc-48p5",
"modified": "2023-10-27T16:04:50Z",
"published": "2022-05-24T19:20:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43577"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/dependency-check-plugin/commit/c10d1496f9f0301e276daecea88161a905fca6d4"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/dependency-check-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2488"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/12/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins OWASP Dependency-Check Plugin"
}
GHSA-MJF9-XJP8-6CR8
Vulnerability from github – Published: 2026-01-06 18:31 – Updated: 2026-01-06 18:31Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control.
{
"affected": [],
"aliases": [
"CVE-2025-36589"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-06T17:15:43Z",
"severity": "HIGH"
},
"details": "Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control.",
"id": "GHSA-mjf9-xjp8-6cr8",
"modified": "2026-01-06T18:31:35Z",
"published": "2026-01-06T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36589"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.