CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-VV97-384Q-3F76
Vulnerability from github – Published: 2022-05-17 00:25 – Updated: 2025-04-20 03:47tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypass intended access restrictions by leveraging the "draggable feeds" feature.
{
"affected": [],
"aliases": [
"CVE-2017-15639"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-19T19:29:00Z",
"severity": "MODERATE"
},
"details": "tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypass intended access restrictions by leveraging the \"draggable feeds\" feature.",
"id": "GHSA-vv97-384q-3f76",
"modified": "2025-04-20T03:47:17Z",
"published": "2022-05-17T00:25:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15639"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43045"
},
{
"type": "WEB",
"url": "http://www.getmura.com/blog/critical-security-update-for-mura-cms-version-6-1-and-earlier"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101603"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVH2-G87V-GG7J
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.
{
"affected": [],
"aliases": [
"CVE-2016-9487"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-13T20:29:00Z",
"severity": "HIGH"
},
"details": "EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim\u0027s trust relationship with other entities.",
"id": "GHSA-vvh2-g87v-gg7j",
"modified": "2022-05-13T01:38:30Z",
"published": "2022-05-13T01:38:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9487"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/779243"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/94864"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VVWV-H69M-WG6F
Vulnerability from github – Published: 2019-11-20 01:39 – Updated: 2025-03-06 18:02PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing (XXE) attack.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpexcel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-12331"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2019-11-19T03:41:04Z",
"nvd_published_at": "2019-11-07T15:15:10Z",
"severity": "HIGH"
},
"details": "PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?\u003c!ENTITY? and thus allowing for an xml external entity processing (XXE) attack.",
"id": "GHSA-vvwv-h69m-wg6f",
"modified": "2025-03-06T18:02:26Z",
"published": "2019-11-20T01:39:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12331"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/pull/1041"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0e6238c69e863b58aeece61e48ea032696c6dccd"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2019-12331.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/CHANGELOG.md#180---2019-07-01"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/releases/tag/1.8.0"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0046"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue"
}
GHSA-VWJX-MMWM-PWRF
Vulnerability from github – Published: 2025-03-05 18:31 – Updated: 2025-03-05 19:30Impact
The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.
After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.
Patches
Lucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening
The older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched
Any users running older release, should plan to immediately upgrade to the latest stable release
6.0 will have a RC as it's not yet released
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.10.79-RC"
},
{
"fixed": "5.3.12.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0.65-RC"
},
{
"fixed": "5.4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.3.7.59"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.8.132-RC"
},
{
"fixed": "5.3.8.236"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lucee:lucee"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.9.113"
},
{
"fixed": "5.3.9.173"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38693"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-05T18:31:03Z",
"nvd_published_at": "2025-03-05T16:15:37Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee.\n\nAfter reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update.\n\n### Patches\n\nLucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening\n\nThe older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched\n\nAny users running older release, should plan to immediately upgrade to the latest stable release\n\n6.0 will have a RC as it\u0027s not yet released",
"id": "GHSA-vwjx-mmwm-pwrf",
"modified": "2025-03-05T19:30:32Z",
"published": "2025-03-05T18:31:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38693"
},
{
"type": "PACKAGE",
"url": "https://github.com/lucee/Lucee"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Lucee RCE/XXE Vulnerability"
}
GHSA-VX6V-35RF-7CF4
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external DTD.
{
"affected": [],
"aliases": [
"CVE-2021-27492"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-27T16:15:00Z",
"severity": "MODERATE"
},
"details": "When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external DTD.",
"id": "GHSA-vx6v-35rf-7cf4",
"modified": "2022-05-24T19:03:27Z",
"published": "2022-05-24T19:03:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27492"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-119468.pdf"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-567"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VX84-5FHG-PF9V
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:48xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi.
{
"affected": [],
"aliases": [
"CVE-2019-15641"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi.",
"id": "GHSA-vx84-5fhg-pf9v",
"modified": "2024-04-04T01:48:12Z",
"published": "2022-05-24T16:54:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15641"
},
{
"type": "WEB",
"url": "https://www.calypt.com/blog/index.php/authenticated-xxe-on-webmin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W23F-22PX-MX2G
Vulnerability from github – Published: 2024-12-10 15:32 – Updated: 2024-12-10 15:32A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by injecting malicious data into the communication channel between the two systems.
{
"affected": [],
"aliases": [
"CVE-2024-54005"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T14:30:47Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in COMOS V10.3 (All versions \u003c V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions \u003c V10.4.3.0.47), COMOS V10.4.4 (All versions \u003c V10.4.4.2), COMOS V10.4.4.1 (All versions \u003c V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a known location on the user\u0027s system or accessible network folders by injecting malicious data into the communication channel between the two systems.",
"id": "GHSA-w23f-22px-mx2g",
"modified": "2024-12-10T15:32:31Z",
"published": "2024-12-10T15:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54005"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-701627.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W28F-FWQ3-X4P2
Vulnerability from github – Published: 2022-05-17 02:54 – Updated: 2025-04-20 03:33XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file.
{
"affected": [],
"aliases": [
"CVE-2017-6055"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-17T20:59:00Z",
"severity": "HIGH"
},
"details": "XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file.",
"id": "GHSA-w28f-fwq3-x4p2",
"modified": "2025-04-20T03:33:04Z",
"published": "2022-05-17T02:54:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6055"
},
{
"type": "WEB",
"url": "https://cert.lv/lv/2017/02/iznakusas-nedelas-zinas-par-drosibas-incidentiem-nr-4-2017"
},
{
"type": "WEB",
"url": "https://www.eparaksts.lv/en/Assistance/downloads/eparakstitajs-3-0/previous-versions-of-eparakstitajs-3-0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2J7-XP4W-PRX7
Vulnerability from github – Published: 2022-05-14 02:19 – Updated: 2022-05-14 02:19Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE.
{
"affected": [],
"aliases": [
"CVE-2018-11719"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-30T16:29:00Z",
"severity": "MODERATE"
},
"details": "Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE.",
"id": "GHSA-w2j7-xp4w-prx7",
"modified": "2022-05-14T02:19:43Z",
"published": "2022-05-14T02:19:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11719"
},
{
"type": "WEB",
"url": "https://xovis.com/security/xovis-sec-2018-002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W2PW-52QG-478G
Vulnerability from github – Published: 2026-04-28 21:36 – Updated: 2026-04-28 21:36A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.
{
"affected": [],
"aliases": [
"CVE-2026-6807"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T19:37:47Z",
"severity": "MODERATE"
},
"details": "A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to \ntrigger improper handling of XML input, which may result in unintended \nexposure of sensitive information. The flaw stems from insufficient \nhardening of the XML parsing process.",
"id": "GHSA-w2pw-52qg-478g",
"modified": "2026-04-28T21:36:14Z",
"published": "2026-04-28T21:36:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6807"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-118-01.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.