Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-WV75-VG2R-PPJ6

Vulnerability from github – Published: 2025-06-19 18:31 – Updated: 2025-06-19 18:31
VLAI
Details

IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33121"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-19T18:15:21Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12  is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-wv75-vg2r-ppj6",
  "modified": "2025-06-19T18:31:47Z",
  "published": "2025-06-19T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33121"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7237317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVPV-8524-WG6X

Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2023-10-19 19:08
VLAI
Summary
mxGraph vulnerable to XXE attacks
Details

In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mxgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T19:08:39Z",
    "nvd_published_at": "2018-02-24T02:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In `mxGraphViewImageReader.java` in mxGraph before 3.7.6, the `SAXParserFactory` instance in `convert()` is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by `/ServerView`.",
  "id": "GHSA-wvpv-8524-wg6x",
  "modified": "2023-10-19T19:08:39Z",
  "published": "2022-05-14T03:38:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jgraph/mxgraph/issues/124"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jgraph/mxgraph/commit/97b3718db64a6ca9afb3382de2926eb8da660052"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jgraph/mxgraph"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mxGraph vulnerable to XXE attacks"
}

GHSA-WW27-QPC9-X958

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-10T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.",
  "id": "GHSA-ww27-qpc9-x958",
  "modified": "2022-05-13T01:12:20Z",
  "published": "2022-05-13T01:12:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11048"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/Aug/5"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105130"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041417"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW2C-2PFQ-484J

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-31T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.",
  "id": "GHSA-ww2c-2pfq-484j",
  "modified": "2022-05-13T01:07:41Z",
  "published": "2022-05-13T01:07:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5795"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-150-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100558"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW2P-X466-VPWF

Vulnerability from github – Published: 2022-05-14 03:36 – Updated: 2022-05-14 03:36
VLAI
Details

A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-19T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).",
  "id": "GHSA-ww2p-x466-vpwf",
  "modified": "2022-05-14T03:36:50Z",
  "published": "2022-05-14T03:36:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7375"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462203"
    },
    {
      "type": "WEB",
      "url": "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201711-01"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-06-01"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3952"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98877"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038623"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWRF-457V-6CQW

Vulnerability from github – Published: 2025-05-13 03:31 – Updated: 2025-05-13 03:31
VLAI
Details

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T01:15:47Z",
    "severity": "HIGH"
  },
  "details": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application\u0027s confidentiality, with no effect on integrity and availability of the application.",
  "id": "GHSA-wwrf-457v-6cqw",
  "modified": "2025-05-13T03:31:13Z",
  "published": "2025-05-13T03:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30018"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3578900"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWVH-435Q-GW8H

Vulnerability from github – Published: 2023-09-14 03:30 – Updated: 2023-09-14 03:30
VLAI
Details

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T02:15:12Z",
    "severity": null
  },
  "details": "The Create Single Payment application of SAP S/4HANA\u00a0- versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment.\u00a0When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the\u00a0entity loops to slow down the browser.\n\n",
  "id": "GHSA-wwvh-435q-gw8h",
  "modified": "2023-09-14T03:30:32Z",
  "published": "2023-09-14T03:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41369"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3369680"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX5C-XGRP-9RGR

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-14T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program.",
  "id": "GHSA-wx5c-xgrp-9rgr",
  "modified": "2022-05-24T17:22:51Z",
  "published": "2022-05-24T17:22:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12025"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WXGQ-MV23-PGQR

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:06
VLAI
Details

LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-28T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a \"deny all\" rule.",
  "id": "GHSA-wxgq-mv23-pgqr",
  "modified": "2024-04-04T01:06:35Z",
  "published": "2022-05-24T16:49:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13031"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1820"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://www.calypt.com/blog/index.php/cve-2019-13031-xxe-on-lemonldapng-2-0-5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXPC-F9FQ-W9PQ

Vulnerability from github – Published: 2026-02-07 06:31 – Updated: 2026-02-07 06:31
VLAI
Details

A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T05:16:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-wxpc-f9fq-w9pq",
  "modified": "2026-02-07T06:31:05Z",
  "published": "2026-02-07T06:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SourByte05/SourByte-Lab/issues/7"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344640"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344640"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.745486"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.745489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.