Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-Q74F-RF27-8HXC

Vulnerability from github – Published: 2023-10-31 00:31 – Updated: 2023-11-06 16:34
VLAI
Summary
OpenCRX allows a remote attacker to execute arbitrary code via a crafted request
Details

An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencrx:opencrx-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-01T17:14:19Z",
    "nvd_published_at": "2023-10-30T23:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.",
  "id": "GHSA-q74f-rf27-8hxc",
  "modified": "2023-11-06T16:34:04Z",
  "published": "2023-10-31T00:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46502"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencrx/opencrx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenCRX allows a remote attacker to execute arbitrary code via a crafted request"
}

GHSA-Q74V-WMPG-RR8Q

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:12
VLAI
Details

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-05T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system.",
  "id": "GHSA-q74v-wmpg-rr8q",
  "modified": "2024-04-04T01:12:23Z",
  "published": "2022-05-24T16:49:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencats/OpenCATS/pull/440"
    },
    {
      "type": "WEB",
      "url": "https://doddsecurity.com/312/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164253/OpenCats-0.9.4-2-XML-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://www.opencats.org/news"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q7XG-HH3Q-HC68

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2023-10-27 14:19
VLAI
Summary
XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
Details

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:config-file-provider"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T19:17:13Z",
    "nvd_published_at": "2021-04-21T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.",
  "id": "GHSA-q7xg-hh3q-hc68",
  "modified": "2023-10-27T14:19:48Z",
  "published": "2022-05-24T17:48:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/config-file-provider-plugin/commit/5f845bc015be769e595088bab11ec36c767671e1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/config-file-provider-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin"
}

GHSA-Q876-XVXF-R2H2

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-01T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.",
  "id": "GHSA-q876-xvxf-r2h2",
  "modified": "2022-05-13T01:36:22Z",
  "published": "2022-05-13T01:36:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7426"
    },
    {
      "type": "WEB",
      "url": "https://www.novell.com/support/kb/doc.php?id=7021173"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q87H-3PPQ-WWF5

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-10-19 19:00
VLAI
Details

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-13T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.",
  "id": "GHSA-q87h-3ppq-wwf5",
  "modified": "2022-10-19T19:00:24Z",
  "published": "2022-05-24T17:34:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7032"
    },
    {
      "type": "WEB",
      "url": "https://downloads.avaya.com/css/P8/documents/101072249"
    },
    {
      "type": "WEB",
      "url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/Nov/31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8X7-F6F7-8J2H

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-04-04 02:49
VLAI
Details

SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.",
  "id": "GHSA-q8x7-f6f7-8j2h",
  "modified": "2024-04-04T02:49:10Z",
  "published": "2022-05-24T17:10:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6202"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2847787"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9CP-MC96-M4W2

Vulnerability from github – Published: 2020-11-23 21:18 – Updated: 2024-02-05 11:16
VLAI
Summary
XML External Entity in Dashboard Widget
Details

Problem

It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.

At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.

Solution

Update to TYPO3 version 10.4.10 that fixes the problem described.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-23T21:16:32Z",
    "nvd_published_at": "2020-11-23T22:15:12Z",
    "severity": "LOW"
  },
  "details": "### Problem\nIt has been discovered that RSS widgets are susceptible to XML external entity processing.\nThis vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.\n\nAt least with _libxml2_ version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.\n\n### Solution\nUpdate to TYPO3 version 10.4.10 that fixes the problem described.",
  "id": "GHSA-q9cp-mc96-m4w2",
  "modified": "2024-02-05T11:16:11Z",
  "published": "2020-11-23T21:18:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity in Dashboard Widget"
}

GHSA-Q9GV-R7Q5-76R2

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-01T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.",
  "id": "GHSA-q9gv-r7q5-76r2",
  "modified": "2022-05-13T01:14:04Z",
  "published": "2022-05-13T01:14:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3027"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg21994440"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC7W-4567-84WV

Vulnerability from github – Published: 2024-06-07 20:30 – Updated: 2024-06-07 20:30
VLAI
Summary
Zendframework vulnerable to XXE/XEE attacks
Details

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

  • XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
  • XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T20:30:06Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Numerous components utilizing PHP\u0027s DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.",
  "id": "GHSA-qc7w-4567-84wv",
  "modified": "2024-06-07T20:30:06Z",
  "published": "2024-06-07T20:30:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/225a8c9f1c3bc08c0bddf22486a8a39ff7186ac1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/5dab7b8e77741dbba56209616b7815bb04f4c561"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/68d0756c596baeefad0b733b42ef2657d09c7f4e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/bbcf41e676ef6d8f16ea9d6499050bca0787eb6c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/ee7f81cc996fb1c16c7dae23eca9ec013ab74730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/fbeba98d5a9924b026a5dd98f679143fd6be89ea"
    },
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2014-01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2014-01.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zendframework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zendframework vulnerable to XXE/XEE attacks"
}

GHSA-QCFC-HMRC-59X7

Vulnerability from github – Published: 2026-01-11 15:31 – Updated: 2026-01-16 19:10
VLAI
Summary
Apache Struts 2 is Missing XML Validation
Details

Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "last_affected": "2.3.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "last_affected": "2.5.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.2.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.opensymphony:xwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 6.1.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts.xwork:xwork-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-112",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T21:49:00Z",
    "nvd_published_at": "2026-01-11T13:15:45Z",
    "severity": "HIGH"
  },
  "details": "Missing XML Validation vulnerability in Apache Struts, Apache Struts.\n\nThis issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.\n\nUsers are recommended to upgrade to version 6.1.1, which fixes the issue.",
  "id": "GHSA-qcfc-hmrc-59x7",
  "modified": "2026-01-16T19:10:45Z",
  "published": "2026-01-11T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68493"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/WW/S2-069"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/struts"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/11/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Struts 2 is Missing XML Validation"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.