CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-PC2G-MV23-62MR
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128612.
{
"affected": [],
"aliases": [
"CVE-2017-1477"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-13T23:29:00Z",
"severity": "HIGH"
},
"details": "IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128612.",
"id": "GHSA-pc2g-mv23-62mr",
"modified": "2022-05-13T01:14:05Z",
"published": "2022-05-13T01:14:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1477"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/128612"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22009240"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PC48-9J3J-4V3W
Vulnerability from github – Published: 2023-02-21 09:30 – Updated: 2023-03-02 18:30php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR.
{
"affected": [],
"aliases": [
"CVE-2023-26267"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-21T09:15:00Z",
"severity": "MODERATE"
},
"details": "php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \\LIBXML_DTDLOAD | \\LIBXML_DTDATTR.",
"id": "GHSA-pc48-9j3j-4v3w",
"modified": "2023-03-02T18:30:31Z",
"published": "2023-02-21T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26267"
},
{
"type": "WEB",
"url": "https://git.sr.ht/~fkooman/php-saml-sp/commit/851f75b298a77e62d9022f1b170f662f5f7716d6"
},
{
"type": "WEB",
"url": "https://git.sr.ht/~fkooman/php-saml-sp/log"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PC54-PCHM-XCW6
Vulnerability from github – Published: 2022-05-17 04:13 – Updated: 2022-06-17 01:12DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.10.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-jaxrs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.11.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-7839"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T01:12:47Z",
"nvd_published_at": "2014-11-25T15:59:00Z",
"severity": "MODERATE"
},
"details": "DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.",
"id": "GHSA-pc54-pchm-xcw6",
"modified": "2022-06-17T01:12:47Z",
"published": "2022-05-17T04:13:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7839"
},
{
"type": "WEB",
"url": "https://github.com/resteasy/resteasy/pull/611/commits/3ab999c899c455a0b0a00bf5e455ed3e8d9ae347"
},
{
"type": "WEB",
"url": "https://github.com/resteasy/resteasy/pull/611/commits/8b5d8cfc963794a74636d9a840e899408ec8fdc6"
},
{
"type": "PACKAGE",
"url": "https://github.com/resteasy/Resteasy"
},
{
"type": "WEB",
"url": "https://issues.jboss.org/browse/RESTEASY-1130"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0773.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "XML External Entity Reference in RESTEasy"
}
GHSA-PC6W-59FV-RH23
Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-05 15:28The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langchain-community"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6984"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-05T15:28:25Z",
"nvd_published_at": "2025-09-04T10:42:33Z",
"severity": "HIGH"
},
"details": "The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.",
"id": "GHSA-pc6w-59fv-rh23",
"modified": "2025-09-05T15:28:25Z",
"published": "2025-09-04T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6984"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain-community/commit/e842452108089524e22c3a2ced851c021884556f"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langchain-community"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/blob/d79b5813a0b3b243c612b77013768995e46c4337/libs/langchain/langchain/document_loaders/evernote.py#L1-L23"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Langchain Community Vulnerable to XML External Entity (XXE) Attacks"
}
GHSA-PCC2-W6M8-X5W4
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-06 16:42Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:semantic-versioning-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24429"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-27T01:00:32Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "CRITICAL"
},
"details": "Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-pcc2-w6m8-x5w4",
"modified": "2023-02-06T16:42:09Z",
"published": "2023-01-26T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24429"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/semantic-versioning-plugin/commit/c67a89822f86a7d10498ea2783b833052b719086"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/semantic-versioning-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2973%20(1)"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Agent-to-controller security bypass in Jenkins Semantic Versioning Plugin "
}
GHSA-PCR4-7R58-755H
Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-13 15:30On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.
{
"affected": [],
"aliases": [
"CVE-2023-20052"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T08:15:00Z",
"severity": "MODERATE"
},
"details": "On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.",
"id": "GHSA-pcr4-7r58-755h",
"modified": "2023-03-13T15:30:19Z",
"published": "2023-03-01T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20052"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-xxe-TcSZduhN"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PCW3-P344-Q7JR
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2024-02-27 21:31A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-8256"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Pulse Connect Secure \u003c 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.",
"id": "GHSA-pcw3-p344-q7jr",
"modified": "2024-02-27T21:31:23Z",
"published": "2022-05-24T17:29:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8256"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
},
{
"type": "WEB",
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PF54-3GGM-97RV
Vulnerability from github – Published: 2024-10-28 12:30 – Updated: 2026-04-01 18:32Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980.
{
"affected": [],
"aliases": [
"CVE-2024-50442"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T12:15:15Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980.",
"id": "GHSA-pf54-3ggm-97rv",
"modified": "2026-04-01T18:32:09Z",
"published": "2024-10-28T12:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50442"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-and-templates-plugin-1-3-980-xml-external-entity-xxe-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-and-templates-plugin-1-3-980-xml-external-entity-xxe-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFPG-H57H-CGRJ
Vulnerability from github – Published: 2022-05-14 01:51 – Updated: 2022-05-14 01:51An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.
{
"affected": [],
"aliases": [
"CVE-2018-16521"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-05T15:29:00Z",
"severity": "CRITICAL"
},
"details": "An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.",
"id": "GHSA-pfpg-h57h-cgrj",
"modified": "2022-05-14T01:51:58Z",
"published": "2022-05-14T01:51:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16521"
},
{
"type": "WEB",
"url": "https://github.com/openmrs/openmrs-module-htmlformentry/pull/137"
},
{
"type": "WEB",
"url": "https://github.com/openmrs/openmrs-module-htmlformentry/pull/138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFR4-5HM6-GJRQ
Vulnerability from github – Published: 2025-07-23 06:33 – Updated: 2025-07-23 06:33Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.
{
"affected": [],
"aliases": [
"CVE-2025-54445"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-23T06:15:26Z",
"severity": "HIGH"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.",
"id": "GHSA-pfr4-5hm6-gjrq",
"modified": "2025-07-23T06:33:51Z",
"published": "2025-07-23T06:33:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54445"
},
{
"type": "WEB",
"url": "https://security.samsungtv.com/securityUpdates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.