CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-QWWW-R8V3-26CG
Vulnerability from github – Published: 2024-11-04 21:30 – Updated: 2024-11-04 21:30IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2024-45086"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T20:15:05Z",
"severity": "MODERATE"
},
"details": "IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.",
"id": "GHSA-qwww-r8v3-26cg",
"modified": "2024-11-04T21:30:32Z",
"published": "2024-11-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45086"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7174745"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QXHF-XWCG-8FXP
Vulnerability from github – Published: 2022-05-24 16:43 – Updated: 2024-04-04 00:01An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
{
"affected": [],
"aliases": [
"CVE-2019-8999"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-18T17:29:00Z",
"severity": "HIGH"
},
"details": "An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.",
"id": "GHSA-qxhf-xwcg-8fxp",
"modified": "2024-04-04T00:01:34Z",
"published": "2022-05-24T16:43:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8999"
},
{
"type": "WEB",
"url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000056241"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R268-64HQ-MV45
Vulnerability from github – Published: 2024-09-12 03:31 – Updated: 2024-09-12 03:31An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.
{
"affected": [],
"aliases": [
"CVE-2024-37397"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-12T02:15:03Z",
"severity": "HIGH"
},
"details": "An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.",
"id": "GHSA-r268-64hq-mv45",
"modified": "2024-09-12T03:31:26Z",
"published": "2024-09-12T03:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37397"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2MJ-8WGQ-73M6
Vulnerability from github – Published: 2021-08-09 20:43 – Updated: 2024-09-20 20:59The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Glances"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23418"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-02T18:18:37Z",
"nvd_published_at": "2021-07-29T18:15:00Z",
"severity": "MODERATE"
},
"details": "The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.\n",
"id": "GHSA-r2mj-8wgq-73m6",
"modified": "2024-09-20T20:59:24Z",
"published": "2021-08-09T20:43:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23418"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/issues/1025"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r2mj-8wgq-73m6"
},
{
"type": "PACKAGE",
"url": "https://github.com/nicolargo/glances"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/glances/PYSEC-2021-115.yaml"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XML External Entity Reference in Glances"
}
GHSA-R2PP-X4MM-4999
Vulnerability from github – Published: 2018-12-20 22:02 – Updated: 2022-09-14 22:20neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.0.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.neo4j.procedure:apoc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000820"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:53:21Z",
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "CRITICAL"
},
"details": "neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.",
"id": "GHSA-r2pp-x4mm-4999",
"modified": "2022-09-14T22:20:27Z",
"published": "2018-12-20T22:02:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000820"
},
{
"type": "WEB",
"url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/issues/931"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/27/neo4f-apoc-procedures-XXE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity (XXE) vulnerability in neo4j.procedure:apoc"
}
GHSA-R362-P5VX-PJ8P
Vulnerability from github – Published: 2026-05-05 18:33 – Updated: 2026-05-06 21:31OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.
{
"affected": [],
"aliases": [
"CVE-2026-38429"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T17:17:04Z",
"severity": "CRITICAL"
},
"details": "OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.",
"id": "GHSA-r362-p5vx-pj8p",
"modified": "2026-05-06T21:31:35Z",
"published": "2026-05-05T18:33:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38429"
},
{
"type": "WEB",
"url": "https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3Q8-G85H-PPF4
Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-03 21:31IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 An XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server could allow attackers to retrieve sensitive information from the server.
{
"affected": [],
"aliases": [
"CVE-2026-1567"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T21:15:57Z",
"severity": "HIGH"
},
"details": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 An XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server could allow attackers to retrieve sensitive information from the server.",
"id": "GHSA-r3q8-g85h-ppf4",
"modified": "2026-03-03T21:31:17Z",
"published": "2026-03-03T21:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1567"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7259630"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3XG-RG9J-67FV
Vulnerability from github – Published: 2026-06-03 21:13 – Updated: 2026-06-03 21:13Impact
The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space - Unbounded archive extraction consuming system resources
An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.
Patches
Fixed in version 2.91.0. The fix implements:
- Secure XML parsing with resolve_entities=False, load_dtd=False, and no_network=True
- Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count
- Cumulative size tracking across all extractions
- Early termination when limits are exceeded
- Secure format detection of METS-GBS tar archives with _detect_mets_gbs() method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded
Workarounds
Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.
References
- Fix release: v2.91.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "docling"
},
"ranges": [
{
"events": [
{
"introduced": "2.45.0"
},
{
"fixed": "2.91.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44018"
],
"database_specific": {
"cwe_ids": [
"CWE-409",
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-03T21:13:32Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe METS-GBS backend\u0027s XML parsing and the input document format detection lacked security controls, enabling:\n- XML External Entity (XXE) attacks to read local files or cause denial of service\n- Decompression bombs (zip bombs) to exhaust memory and disk space\n- Unbounded archive extraction consuming system resources\n\nAn attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.\n\n### Patches\nFixed in version 2.91.0. The fix implements:\n- Secure XML parsing with `resolve_entities=False`, `load_dtd=False`, and `no_network=True`\n- Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count\n- Cumulative size tracking across all extractions\n- Early termination when limits are exceeded\n- Secure format detection of METS-GBS tar archives with `_detect_mets_gbs()` method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded\n\n### Workarounds\nAvoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.\n\n### References\n- Fix release: [v2.91.0](https://github.com/docling-project/docling/releases/tag/v2.91.0)",
"id": "GHSA-r3xg-rg9j-67fv",
"modified": "2026-06-03T21:13:33Z",
"published": "2026-06-03T21:13:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv"
},
{
"type": "PACKAGE",
"url": "https://github.com/docling-project/docling"
},
{
"type": "WEB",
"url": "https://github.com/docling-project/docling/releases/tag/v2.91.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend"
}
GHSA-R3XJ-VJPQ-7CVQ
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-26 00:01Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.
{
"affected": [],
"aliases": [
"CVE-2022-35741"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.",
"id": "GHSA-r3xj-vjpq-7cvq",
"modified": "2022-07-26T00:01:03Z",
"published": "2022-07-19T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35741"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/hwhxvtwp1d5dsm156bsf1cnyvtmrfv3f"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/07/18/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/07/20/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R43H-PVQH-QQ63
Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2024-04-04 02:49WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.
{
"affected": [],
"aliases": [
"CVE-2020-11885"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-17T20:15:00Z",
"severity": "HIGH"
},
"details": "WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.",
"id": "GHSA-r43h-pvqh-qq63",
"modified": "2024-04-04T02:49:55Z",
"published": "2022-05-24T17:15:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11885"
},
{
"type": "WEB",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0684"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.