CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-VFJJ-7584-C34J
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed.
{
"affected": [],
"aliases": [
"CVE-2021-27184"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-11T18:15:00Z",
"severity": "HIGH"
},
"details": "Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\\Pelco directory) when DSControlPoint.exe is executed.",
"id": "GHSA-vfjj-7584-c34j",
"modified": "2022-05-24T17:42:01Z",
"published": "2022-05-24T17:42:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27184"
},
{
"type": "WEB",
"url": "https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server.txt"
},
{
"type": "WEB",
"url": "https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-revision-history"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VFMQ-68HX-4JFW
Vulnerability from github – Published: 2026-04-21 20:38 – Updated: 2026-06-06 00:59Impact
Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files.
Patches
lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default.
Workarounds
Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access.
Resources
Original report: https://bugs.launchpad.net/lxml/+bug/2146291
The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41066"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T20:38:44Z",
"nvd_published_at": "2026-04-24T17:16:20Z",
"severity": "HIGH"
},
"details": "### Impact\nUsing either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files.\n\n### Patches\nlxml 6.1.0 changes the default to `resolve_entities=\u0027internal\u0027`, thus disallowing local file access by default.\n\n### Workarounds\nSetting the `resolve_entities` option explicitly to `resolve_entities=\u0027internal\u0027` or `resolve_entities=False` disables the local file access.\n\n### Resources\nOriginal report: https://bugs.launchpad.net/lxml/+bug/2146291\n\nThe default option was changed to `resolve_entities=\u0027internal\u0027` for the normal XML and HTML parsers in lxml 5.0. The default was not changed for `iterparse()` and `ETCompatXMLParser()` at the time. lxml 6.1 makes the safe option the default for all parsers.",
"id": "GHSA-vfmq-68hx-4jfw",
"modified": "2026-06-06T00:59:15Z",
"published": "2026-04-21T20:38:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41066"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/lxml/+bug/2146291"
},
{
"type": "PACKAGE",
"url": "https://github.com/lxml/lxml"
},
{
"type": "WEB",
"url": "https://github.com/lxml/lxml/releases/tag/lxml-6.1.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2026-87.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files"
}
GHSA-VFMW-MCW8-M32F
Vulnerability from github – Published: 2024-10-16 18:31 – Updated: 2024-10-21 18:30Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.
{
"affected": [],
"aliases": [
"CVE-2024-4690"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T17:15:17Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.",
"id": "GHSA-vfmw-mcw8-m32f",
"modified": "2024-10-21T18:30:45Z",
"published": "2024-10-16T18:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4690"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000033548?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-VG35-VC9F-Q7X2
Vulnerability from github – Published: 2019-07-26 16:09 – Updated: 2024-09-27 18:25Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ladon"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.1"
},
{
"last_affected": "1.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1010268"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2019-07-25T15:54:06Z",
"nvd_published_at": "2019-07-18T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.",
"id": "GHSA-vg35-vc9f-q7x2",
"modified": "2024-09-27T18:25:35Z",
"published": "2019-07-26T16:09:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010268"
},
{
"type": "PACKAGE",
"url": "https://bitbucket.org/jakobsg/ladon"
},
{
"type": "WEB",
"url": "https://bitbucket.org/jakobsg/ladon/pull-requests/9"
},
{
"type": "WEB",
"url": "https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vg35-vc9f-q7x2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ladon/PYSEC-2019-184.yaml"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43113"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Restriction of XML External Entity Reference in ladon"
}
GHSA-VGVW-M3X5-GRC3
Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5).
{
"affected": [],
"aliases": [
"CVE-2017-3839"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-22T02:59:00Z",
"severity": "MODERATE"
},
"details": "An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5).",
"id": "GHSA-vgvw-m3x5-grc3",
"modified": "2022-05-13T01:45:55Z",
"published": "2022-05-13T01:45:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3839"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96236"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037836"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VH3X-X68X-6R47
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882.
{
"affected": [],
"aliases": [
"CVE-2021-20353"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882.",
"id": "GHSA-vh3x-x68x-6r47",
"modified": "2022-05-24T17:41:45Z",
"published": "2022-05-24T17:41:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20353"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194882"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6413709"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-174"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VHFP-9WVJ-GWVG
Vulnerability from github – Published: 2021-11-01 19:19 – Updated: 2021-11-03 14:51A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "modx/revolution"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25911"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-01T19:08:06Z",
"nvd_published_at": "2021-10-31T19:15:00Z",
"severity": "CRITICAL"
},
"details": "A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).",
"id": "GHSA-vhfp-9wvj-gwvg",
"modified": "2021-11-03T14:51:31Z",
"published": "2021-11-01T19:19:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25911"
},
{
"type": "WEB",
"url": "https://github.com/modxcms/revolution/issues/15237"
},
{
"type": "WEB",
"url": "https://github.com/modxcms/revolution/pull/15238"
},
{
"type": "WEB",
"url": "https://github.com/modxcms/revolution/pull/15238/commits/1b7ffe02df30f05dbf67dd15e4d8101687c1585a"
},
{
"type": "WEB",
"url": "https://github.com/dahua966/Vul_disclose/blob/main/XXE_modxcms.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/modxcms/revolution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity vulnerability in MODX CMS"
}
GHSA-VHHC-MR4W-PMW6
Vulnerability from github – Published: 2022-05-14 01:08 – Updated: 2022-05-14 01:08The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.
{
"affected": [],
"aliases": [
"CVE-2013-1824"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-09-16T13:02:00Z",
"severity": "MODERATE"
},
"details": "The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.",
"id": "GHSA-vhhc-mr4w-pmw6",
"modified": "2022-05-14T01:08:03Z",
"published": "2022-05-14T01:08:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1824"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=918187"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git;a=commit;h=188c196d4da60bdde9190d2fc532650d17f7af2d"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git;a=commit;h=afe98b7829d50806559acac9b530acb8283c3bf4"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html"
},
{
"type": "WEB",
"url": "http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5880"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VHWV-8897-JM7Q
Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2022-12-16 19:56Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.8"
},
"package": {
"ecosystem": "Maven",
"name": "com.compuware.jenkins:compuware-topaz-for-total-test"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43430"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-19T21:22:06Z",
"nvd_published_at": "2022-10-19T16:15:00Z",
"severity": "HIGH"
},
"details": "Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control the input files for the \u0027Topaz for Total Test - Execute Total Test scenarios\u0027 build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-vhwv-8897-jm7q",
"modified": "2022-12-16T19:56:42Z",
"published": "2022-10-19T19:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43430"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/9ce24fb63fcdb94290340d2ec53f478635c416ab"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/compuware-topaz-for-total-test-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin"
}
GHSA-VJ49-J7RC-H54F
Vulnerability from github – Published: 2023-08-25 21:30 – Updated: 2023-09-01 17:35An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.esotericsoftware.yamlbeans:yamlbeans"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24620"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-25T22:04:01Z",
"nvd_published_at": "2023-08-25T20:15:07Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.",
"id": "GHSA-vj49-j7rc-h54f",
"modified": "2023-09-01T17:35:22Z",
"published": "2023-08-25T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24620"
},
{
"type": "WEB",
"url": "https://contrastsecurity.com"
},
{
"type": "WEB",
"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"
},
{
"type": "WEB",
"url": "https://github.com/EsotericSoftware"
},
{
"type": "PACKAGE",
"url": "https://github.com/EsotericSoftware/yamlbeans"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Esoteric YamlBeans XML Entity Expansion vulnerability"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.