Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-QWWW-R8V3-26CG

Vulnerability from github – Published: 2024-11-04 21:30 – Updated: 2024-11-04 21:30
VLAI
Details

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-04T20:15:05Z",
    "severity": "MODERATE"
  },
  "details": "IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-qwww-r8v3-26cg",
  "modified": "2024-11-04T21:30:32Z",
  "published": "2024-11-04T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45086"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7174745"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXHF-XWCG-8FXP

Vulnerability from github – Published: 2022-05-24 16:43 – Updated: 2024-04-04 00:01
VLAI
Details

An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-18T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.",
  "id": "GHSA-qxhf-xwcg-8fxp",
  "modified": "2024-04-04T00:01:34Z",
  "published": "2022-05-24T16:43:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8999"
    },
    {
      "type": "WEB",
      "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000056241"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R268-64HQ-MV45

Vulnerability from github – Published: 2024-09-12 03:31 – Updated: 2024-09-12 03:31
VLAI
Details

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-12T02:15:03Z",
    "severity": "HIGH"
  },
  "details": "An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.",
  "id": "GHSA-r268-64hq-mv45",
  "modified": "2024-09-12T03:31:26Z",
  "published": "2024-09-12T03:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37397"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2MJ-8WGQ-73M6

Vulnerability from github – Published: 2021-08-09 20:43 – Updated: 2024-09-20 20:59
VLAI
Summary
XML External Entity Reference in Glances
Details

The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Glances"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T18:18:37Z",
    "nvd_published_at": "2021-07-29T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.\n",
  "id": "GHSA-r2mj-8wgq-73m6",
  "modified": "2024-09-20T20:59:24Z",
  "published": "2021-08-09T20:43:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/issues/1025"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r2mj-8wgq-73m6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nicolargo/glances"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/glances/PYSEC-2021-115.yaml"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XML External Entity Reference in Glances"
}

GHSA-R2PP-X4MM-4999

Vulnerability from github – Published: 2018-12-20 22:02 – Updated: 2022-09-14 22:20
VLAI
Summary
XML External Entity (XXE) vulnerability in neo4j.procedure:apoc
Details

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.0.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.neo4j.procedure:apoc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:53:21Z",
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.",
  "id": "GHSA-r2pp-x4mm-4999",
  "modified": "2022-09-14T22:20:27Z",
  "published": "2018-12-20T22:02:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/issues/931"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/10/27/neo4f-apoc-procedures-XXE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity (XXE) vulnerability in neo4j.procedure:apoc"
}

GHSA-R362-P5VX-PJ8P

Vulnerability from github – Published: 2026-05-05 18:33 – Updated: 2026-05-06 21:31
VLAI
Details

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-38429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-05T17:17:04Z",
    "severity": "CRITICAL"
  },
  "details": "OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.",
  "id": "GHSA-r362-p5vx-pj8p",
  "modified": "2026-05-06T21:31:35Z",
  "published": "2026-05-05T18:33:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3Q8-G85H-PPF4

Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-03 21:31
VLAI
Details

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 An XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server could allow attackers to retrieve sensitive information from the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-03T21:15:57Z",
    "severity": "HIGH"
  },
  "details": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 An XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server could allow attackers to retrieve sensitive information from the server.",
  "id": "GHSA-r3q8-g85h-ppf4",
  "modified": "2026-03-03T21:31:17Z",
  "published": "2026-03-03T21:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1567"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7259630"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3XG-RG9J-67FV

Vulnerability from github – Published: 2026-06-03 21:13 – Updated: 2026-06-03 21:13
VLAI
Summary
Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend
Details

Impact

The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space - Unbounded archive extraction consuming system resources

An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.

Patches

Fixed in version 2.91.0. The fix implements: - Secure XML parsing with resolve_entities=False, load_dtd=False, and no_network=True - Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count - Cumulative size tracking across all extractions - Early termination when limits are exceeded - Secure format detection of METS-GBS tar archives with _detect_mets_gbs() method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded

Workarounds

Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "docling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.45.0"
            },
            {
              "fixed": "2.91.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-409",
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:13:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe METS-GBS backend\u0027s XML parsing and the input document format detection lacked security controls, enabling:\n- XML External Entity (XXE) attacks to read local files or cause denial of service\n- Decompression bombs (zip bombs) to exhaust memory and disk space\n- Unbounded archive extraction consuming system resources\n\nAn attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.\n\n### Patches\nFixed in version 2.91.0. The fix implements:\n- Secure XML parsing with `resolve_entities=False`, `load_dtd=False`, and `no_network=True`\n- Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count\n- Cumulative size tracking across all extractions\n- Early termination when limits are exceeded\n- Secure format detection of METS-GBS tar archives with `_detect_mets_gbs()` method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded\n\n### Workarounds\nAvoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.\n\n### References\n- Fix release: [v2.91.0](https://github.com/docling-project/docling/releases/tag/v2.91.0)",
  "id": "GHSA-r3xg-rg9j-67fv",
  "modified": "2026-06-03T21:13:33Z",
  "published": "2026-06-03T21:13:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/docling-project/docling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docling-project/docling/releases/tag/v2.91.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend"
}

GHSA-R3XJ-VJPQ-7CVQ

Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-26 00:01
VLAI
Details

Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-18T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.",
  "id": "GHSA-r3xj-vjpq-7cvq",
  "modified": "2022-07-26T00:01:03Z",
  "published": "2022-07-19T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35741"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/hwhxvtwp1d5dsm156bsf1cnyvtmrfv3f"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/18/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/20/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R43H-PVQH-QQ63

Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2024-04-04 02:49
VLAI
Details

WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-17T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.",
  "id": "GHSA-r43h-pvqh-qq63",
  "modified": "2024-04-04T02:49:55Z",
  "published": "2022-05-24T17:15:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11885"
    },
    {
      "type": "WEB",
      "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0684"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.