Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-P2QF-9VP6-3JJQ

Vulnerability from github – Published: 2023-06-15 15:30 – Updated: 2024-03-01 14:32
VLAI
Summary
HuTool XML parsing module has blind XXE vulnerability
Details

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cn.hutool:hutool-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.8.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-16T19:39:29Z",
    "nvd_published_at": "2023-06-15T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference.",
  "id": "GHSA-p2qf-9vp6-3jjq",
  "modified": "2024-03-01T14:32:41Z",
  "published": "2023-06-15T15:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3276"
    },
    {
      "type": "WEB",
      "url": "https://fbdhhhh47.github.io/2023/06/06/hutool-XXE"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dromara/hutool"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.231626"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.231626"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HuTool XML parsing module has blind XXE vulnerability"
}

GHSA-P343-WH48-8MVF

Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-08 00:00
VLAI
Details

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-28T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.",
  "id": "GHSA-p343-wh48-8mvf",
  "modified": "2022-05-08T00:00:34Z",
  "published": "2022-04-29T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24449"
    },
    {
      "type": "WEB",
      "url": "https://en.rt-solar.ru/products/solarAPPscreener"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jet-pentest/CVE-2022-24449"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P368-MJ9G-R3MH

Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-05-17 02:53
VLAI
Details

External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-23T06:59:00Z",
    "severity": "MODERATE"
  },
  "details": "External Entity Processing (XXE) vulnerability in the \"risk score\" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.",
  "id": "GHSA-p368-mj9g-r3mh",
  "modified": "2022-05-17T02:53:42Z",
  "published": "2022-05-17T02:53:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5748"
    },
    {
      "type": "WEB",
      "url": "https://www.novell.com/support/kb/doc.php?id=7017797"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P37Q-JM8V-RGQF

Vulnerability from github – Published: 2026-05-27 06:31 – Updated: 2026-05-27 06:31
VLAI
Details

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T04:16:26Z",
    "severity": "HIGH"
  },
  "details": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.7 and 11.0.0.0, including\u00a09.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.",
  "id": "GHSA-p37q-jm8v-rgqf",
  "modified": "2026-05-27T06:31:34Z",
  "published": "2026-05-27T06:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2253"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/45677548193933--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2026-2253"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3G7-98FF-92PP

Vulnerability from github – Published: 2024-12-19 18:31 – Updated: 2025-01-02 21:31
VLAI
Details

An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-19T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.",
  "id": "GHSA-p3g7-98ff-92pp",
  "modified": "2025-01-02T21:31:41Z",
  "published": "2024-12-19T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55081"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/summerxxoo/18b3ccc91aacd606aa4d48a02029e9e7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/summerxxoo/VulnPoc/blob/main/chat2DB_XXE.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P498-RPCW-3578

Vulnerability from github – Published: 2022-05-14 03:45 – Updated: 2024-01-30 22:41
VLAI
Summary
XXE vulnerability Jenkins Warnings Plugin
Details

Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.64"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jvnet.hudson.plugins:warnings"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.65"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:41:12Z",
    "nvd_published_at": "2018-01-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-p498-rpcw-3578",
  "modified": "2024-01-30T22:41:12Z",
  "published": "2022-05-14T03:45:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000012"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-01-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability Jenkins Warnings Plugin"
}

GHSA-P52V-VCVW-FCMG

Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 18:32
VLAI
Details

TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T16:15:05Z",
    "severity": "MODERATE"
  },
  "details": "TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).",
  "id": "GHSA-p52v-vcvw-fcmg",
  "modified": "2024-09-27T18:32:25Z",
  "published": "2024-09-27T18:32:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45745"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.topquadrant.com/wp-content/uploads/2024/06/changelog-8.0.1.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P58M-78V3-3XR8

Vulnerability from github – Published: 2025-08-19 15:31 – Updated: 2025-08-19 15:31
VLAI
Details

Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T14:15:38Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.",
  "id": "GHSA-p58m-78v3-3xr8",
  "modified": "2025-08-19T15:31:28Z",
  "published": "2025-08-19T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4044"
    },
    {
      "type": "WEB",
      "url": "https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P65P-H8XW-F45X

Vulnerability from github – Published: 2024-03-28 15:30 – Updated: 2024-03-28 15:30
VLAI
Details

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T15:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector",
  "id": "GHSA-p65p-h8xw-f45x",
  "modified": "2024-03-28T15:30:34Z",
  "published": "2024-03-28T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31139"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P674-HH8X-RV5H

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2023-10-27 15:00
VLAI
Summary
XML external entity vulnerability in Jenkins Nuget Plugin
Details

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This XML parser is used for the \"Build on NuGet updates\" feature.

This allows attackers with the ability to control the contents of the packages.config file in a workspace to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Nuget Plugin 1.1 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:nuget"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-07T23:54:54Z",
    "nvd_published_at": "2021-05-25T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This XML parser is used for the \\\"Build on NuGet updates\\\" feature.\n\nThis allows attackers with the ability to control the contents of the `packages.config` file in a workspace to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Nuget Plugin 1.1 disables external entity resolution for its XML parser.",
  "id": "GHSA-p674-hh8x-rv5h",
  "modified": "2023-10-27T15:00:45Z",
  "published": "2022-05-24T19:03:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21658"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/nuget-plugin/commit/542bf38ac52f045741a5670e1644af351878f7e0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/nuget-plugin/commit/c8ed4cb5b1c42f3c407f9f418b4e0b4274bea5a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/nuget-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2340"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/25/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML external entity vulnerability in Jenkins Nuget Plugin"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.