Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-PC2G-MV23-62MR

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128612.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-13T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128612.",
  "id": "GHSA-pc2g-mv23-62mr",
  "modified": "2022-05-13T01:14:05Z",
  "published": "2022-05-13T01:14:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1477"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/128612"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22009240"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PC48-9J3J-4V3W

Vulnerability from github – Published: 2023-02-21 09:30 – Updated: 2023-03-02 18:30
VLAI
Details

php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-21T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \\LIBXML_DTDLOAD | \\LIBXML_DTDATTR.",
  "id": "GHSA-pc48-9j3j-4v3w",
  "modified": "2023-03-02T18:30:31Z",
  "published": "2023-02-21T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26267"
    },
    {
      "type": "WEB",
      "url": "https://git.sr.ht/~fkooman/php-saml-sp/commit/851f75b298a77e62d9022f1b170f662f5f7716d6"
    },
    {
      "type": "WEB",
      "url": "https://git.sr.ht/~fkooman/php-saml-sp/log"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PC54-PCHM-XCW6

Vulnerability from github – Published: 2022-05-17 04:13 – Updated: 2022-06-17 01:12
VLAI
Summary
XML External Entity Reference in RESTEasy
Details

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.10.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jboss.resteasy:resteasy-jaxrs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.11.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-7839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T01:12:47Z",
    "nvd_published_at": "2014-11-25T15:59:00Z",
    "severity": "MODERATE"
  },
  "details": "DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.",
  "id": "GHSA-pc54-pchm-xcw6",
  "modified": "2022-06-17T01:12:47Z",
  "published": "2022-05-17T04:13:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/resteasy/resteasy/pull/611/commits/3ab999c899c455a0b0a00bf5e455ed3e8d9ae347"
    },
    {
      "type": "WEB",
      "url": "https://github.com/resteasy/resteasy/pull/611/commits/8b5d8cfc963794a74636d9a840e899408ec8fdc6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/resteasy/Resteasy"
    },
    {
      "type": "WEB",
      "url": "https://issues.jboss.org/browse/RESTEASY-1130"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0773.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "XML External Entity Reference in RESTEasy"
}

GHSA-PC6W-59FV-RH23

Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-05 15:28
VLAI
Summary
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
Details

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langchain-community"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-05T15:28:25Z",
    "nvd_published_at": "2025-09-04T10:42:33Z",
    "severity": "HIGH"
  },
  "details": "The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.",
  "id": "GHSA-pc6w-59fv-rh23",
  "modified": "2025-09-05T15:28:25Z",
  "published": "2025-09-04T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6984"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain-community/commit/e842452108089524e22c3a2ced851c021884556f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langchain-community"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain/blob/d79b5813a0b3b243c612b77013768995e46c4337/libs/langchain/langchain/document_loaders/evernote.py#L1-L23"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langchain Community Vulnerable to XML External Entity (XXE) Attacks"
}

GHSA-PCC2-W6M8-X5W4

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-06 16:42
VLAI
Summary
Agent-to-controller security bypass in Jenkins Semantic Versioning Plugin
Details

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:semantic-versioning-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T01:00:32Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
  "id": "GHSA-pcc2-w6m8-x5w4",
  "modified": "2023-02-06T16:42:09Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/semantic-versioning-plugin/commit/c67a89822f86a7d10498ea2783b833052b719086"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/semantic-versioning-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2973%20(1)"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Agent-to-controller security bypass in Jenkins Semantic Versioning Plugin "
}

GHSA-PCR4-7R58-755H

Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-13 15:30
VLAI
Details

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-01T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.",
  "id": "GHSA-pcr4-7r58-755h",
  "modified": "2023-03-13T15:30:19Z",
  "published": "2023-03-01T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20052"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-xxe-TcSZduhN"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PCW3-P344-Q7JR

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2024-02-27 21:31
VLAI
Details

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-30T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Pulse Connect Secure \u003c 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.",
  "id": "GHSA-pcw3-p344-q7jr",
  "modified": "2024-02-27T21:31:23Z",
  "published": "2022-05-24T17:29:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8256"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
    },
    {
      "type": "WEB",
      "url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PF54-3GGM-97RV

Vulnerability from github – Published: 2024-10-28 12:30 – Updated: 2026-04-01 18:32
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T12:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980.",
  "id": "GHSA-pf54-3ggm-97rv",
  "modified": "2026-04-01T18:32:09Z",
  "published": "2024-10-28T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50442"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-and-templates-plugin-1-3-980-xml-external-entity-xxe-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-and-templates-plugin-1-3-980-xml-external-entity-xxe-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFPG-H57H-CGRJ

Vulnerability from github – Published: 2022-05-14 01:51 – Updated: 2022-05-14 01:51
VLAI
Details

An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-05T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.",
  "id": "GHSA-pfpg-h57h-cgrj",
  "modified": "2022-05-14T01:51:58Z",
  "published": "2022-05-14T01:51:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16521"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openmrs/openmrs-module-htmlformentry/pull/137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openmrs/openmrs-module-htmlformentry/pull/138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFR4-5HM6-GJRQ

Vulnerability from github – Published: 2025-07-23 06:33 – Updated: 2025-07-23 06:33
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-23T06:15:26Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.",
  "id": "GHSA-pfr4-5hm6-gjrq",
  "modified": "2025-07-23T06:33:51Z",
  "published": "2025-07-23T06:33:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54445"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungtv.com/securityUpdates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.