CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-RPVM-9QG3-RJH7
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
{
"affected": [],
"aliases": [
"CVE-2021-41770"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-07T07:15:00Z",
"severity": "HIGH"
},
"details": "Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.",
"id": "GHSA-rpvm-9qg3-rjh7",
"modified": "2022-05-24T19:16:59Z",
"published": "2022-05-24T19:16:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41770"
},
{
"type": "WEB",
"url": "https://docs.pingidentity.com/bundle/pingfederate-103/page/ruz1628492711606.html"
},
{
"type": "WEB",
"url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RQ9X-WHV9-7J63
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70616.
{
"affected": [],
"aliases": [
"CVE-2018-0218"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-08T07:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70616.",
"id": "GHSA-rq9x-whv9-7j63",
"modified": "2022-05-13T01:17:28Z",
"published": "2022-05-13T01:17:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0218"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103345"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040470"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RQFH-9R24-8C9R
Vulnerability from github – Published: 2026-01-26 21:31 – Updated: 2026-01-29 03:24An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.
An application is vulnerable only when it uses untrusted XML input with one of the following methods:
isXmlEqualTo(CharSequence)fromorg.assertj.core.api.AbstractCharSequenceAssertxmlPrettyFormat(String)fromorg.assertj.core.util.xml.XmlStringPrettyFormatter
Impact
If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:
- Read arbitrary local files via
file://URIs (e.g.,/etc/passwd, application configuration files) - Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
- Cause Denial of Service via "Billion Laughs" entity expansion attacks
Mitigation
isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:
- Replace
isXmlEqualTo(CharSequence)with XMLUnit, or - Upgrade to version 3.27.7, or
- Avoid using
isXmlEqualTo(CharSequence)orXmlStringPrettyFormatterwith untrusted input.
XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.27.6"
},
"package": {
"ecosystem": "Maven",
"name": "org.assertj:assertj-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "3.27.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24400"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-26T21:31:41Z",
"nvd_published_at": "2026-01-26T23:16:08Z",
"severity": "HIGH"
},
"details": "An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values.\n\nAn application is vulnerable only when it uses untrusted XML input with one of the following methods:\n\n- `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert`\n- `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`\n\n### Impact\n\nIf untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:\n\n- **Read arbitrary local files** via `file://` URIs (e.g., `/etc/passwd`, application configuration files)\n- **Perform Server-Side Request Forgery (SSRF)** via HTTP/HTTPS URIs\n- **Cause Denial of Service** via \"Billion Laughs\" entity expansion attacks\n\n### Mitigation\n\n`isXmlEqualTo(CharSequence)` has been deprecated in favor of [XMLUnit](https://www.xmlunit.org/) in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:\n\n1. Replace `isXmlEqualTo(CharSequence)` with XMLUnit, or\n2. Upgrade to version 3.27.7, or\n3. Avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input.\n\n`XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.\n\n### References\n\n- [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html)\n- [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)",
"id": "GHSA-rqfh-9r24-8c9r",
"modified": "2026-01-29T03:24:21Z",
"published": "2026-01-26T21:31:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24400"
},
{
"type": "WEB",
"url": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/assertj/assertj"
},
{
"type": "WEB",
"url": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion"
}
GHSA-RR3F-MHHR-6WV3
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.
{
"affected": [],
"aliases": [
"CVE-2020-26564"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-31T17:15:00Z",
"severity": "MODERATE"
},
"details": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have \u003c!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey[\u0027importFile\u0027] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey\u0026surveyId= URI.",
"id": "GHSA-rr3f-mhhr-6wv3",
"modified": "2022-05-24T19:09:28Z",
"published": "2022-05-24T19:09:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26564"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"type": "WEB",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RR59-H6RH-V84V
Vulnerability from github – Published: 2024-04-09 12:30 – Updated: 2024-05-02 14:45Improper Input Validation vulnerability in Apache Zeppelin SAP. This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.zeppelin:sap"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-47894"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-09T16:23:54Z",
"nvd_published_at": "2024-04-09T10:15:08Z",
"severity": "MODERATE"
},
"details": "Improper Input Validation vulnerability in Apache Zeppelin SAP. This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nFor more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-rr59-h6rh-v84v",
"modified": "2024-05-02T14:45:20Z",
"published": "2024-04-09T12:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47894"
},
{
"type": "WEB",
"url": "https://github.com/apache/zeppelin/pull/4302"
},
{
"type": "WEB",
"url": "https://github.com/apache/zeppelin/commit/bea51d1467d6103bd8fd68d6a27b14f954d98ec6"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/zeppelin"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/ZEPPELIN-5665"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE"
}
GHSA-RRH8-365P-PW96
Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM X-Force ID: 110563.
{
"affected": [],
"aliases": [
"CVE-2016-0254"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-07T17:29:00Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM X-Force ID: 110563.",
"id": "GHSA-rrh8-365p-pw96",
"modified": "2022-05-17T02:41:25Z",
"published": "2022-05-17T02:41:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0254"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/110563"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22004036"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVQQ-FWFF-P2V4
Vulnerability from github – Published: 2022-12-18 06:31 – Updated: 2022-12-22 18:30An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.
{
"affected": [],
"aliases": [
"CVE-2022-47514"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-18T04:15:00Z",
"severity": "HIGH"
},
"details": "An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.",
"id": "GHSA-rvqq-fwff-p2v4",
"modified": "2022-12-22T18:30:25Z",
"published": "2022-12-18T06:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47514"
},
{
"type": "WEB",
"url": "https://github.com/jumpycastle/xmlrpc.net-poc"
},
{
"type": "WEB",
"url": "https://papercutsoftware.github.io/XML-RPC.NET/download.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVRV-6XRW-V985
Vulnerability from github – Published: 2023-08-04 21:30 – Updated: 2023-08-04 21:30A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.
{
"affected": [],
"aliases": [
"CVE-2020-26064"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-04T21:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system.\n The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.",
"id": "GHSA-rvrv-6xrw-v985",
"modified": "2023-08-04T21:30:44Z",
"published": "2023-08-04T21:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26064"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanx2-KpFVSUc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWG2-W82X-V57J
Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-11-30 20:49Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control the input files for the readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.surenpi.jenkins:phoenix-autotest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-28155"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-30T20:49:11Z",
"nvd_published_at": "2022-03-29T13:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\nThis allows attackers able to control the input files for the `readXml` or `writeXml` build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-rwg2-w82x-v57j",
"modified": "2022-11-30T20:49:11Z",
"published": "2022-03-30T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28155"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/phoenix-autotest-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1897"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference vulnerability in Jenkins Pipeline: Phoenix AutoTest Plugin"
}
GHSA-RWPC-FVP2-P5WP
Vulnerability from github – Published: 2025-07-08 21:30 – Updated: 2025-07-08 21:30ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
{
"affected": [],
"aliases": [
"CVE-2025-49539"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T21:15:26Z",
"severity": "MODERATE"
},
"details": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.",
"id": "GHSA-rwpc-fvp2-p5wp",
"modified": "2025-07-08T21:30:28Z",
"published": "2025-07-08T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49539"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.