CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-WV75-VG2R-PPJ6
Vulnerability from github – Published: 2025-06-19 18:31 – Updated: 2025-06-19 18:31IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2025-33121"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-19T18:15:21Z",
"severity": "HIGH"
},
"details": "IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
"id": "GHSA-wv75-vg2r-ppj6",
"modified": "2025-06-19T18:31:47Z",
"published": "2025-06-19T18:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33121"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7237317"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WVPV-8524-WG6X
Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2023-10-19 19:08In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mxgraph"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18197"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-19T19:08:39Z",
"nvd_published_at": "2018-02-24T02:29:00Z",
"severity": "CRITICAL"
},
"details": "In `mxGraphViewImageReader.java` in mxGraph before 3.7.6, the `SAXParserFactory` instance in `convert()` is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by `/ServerView`.",
"id": "GHSA-wvpv-8524-wg6x",
"modified": "2023-10-19T19:08:39Z",
"published": "2022-05-14T03:38:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18197"
},
{
"type": "WEB",
"url": "https://github.com/jgraph/mxgraph/issues/124"
},
{
"type": "WEB",
"url": "https://github.com/jgraph/mxgraph/commit/97b3718db64a6ca9afb3382de2926eb8da660052"
},
{
"type": "PACKAGE",
"url": "https://github.com/jgraph/mxgraph"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "mxGraph vulnerable to XXE attacks"
}
GHSA-WW27-QPC9-X958
Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.
{
"affected": [],
"aliases": [
"CVE-2018-11048"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-10T20:29:00Z",
"severity": "HIGH"
},
"details": "Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.",
"id": "GHSA-ww27-qpc9-x958",
"modified": "2022-05-13T01:12:20Z",
"published": "2022-05-13T01:12:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11048"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Aug/5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105130"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041417"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WW2C-2PFQ-484J
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
{
"affected": [],
"aliases": [
"CVE-2016-5795"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-31T21:29:00Z",
"severity": "HIGH"
},
"details": "An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.",
"id": "GHSA-ww2c-2pfq-484j",
"modified": "2022-05-13T01:07:41Z",
"published": "2022-05-13T01:07:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5795"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-150-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WW2P-X466-VPWF
Vulnerability from github – Published: 2022-05-14 03:36 – Updated: 2022-05-14 03:36A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).
{
"affected": [],
"aliases": [
"CVE-2017-7375"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-19T19:29:00Z",
"severity": "CRITICAL"
},
"details": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).",
"id": "GHSA-ww2p-x466-vpwf",
"modified": "2022-05-14T03:36:50Z",
"published": "2022-05-14T03:36:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7375"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462203"
},
{
"type": "WEB",
"url": "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201711-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-06-01"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3952"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98877"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038623"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWRF-457V-6CQW
Vulnerability from github – Published: 2025-05-13 03:31 – Updated: 2025-05-13 03:31The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.
{
"affected": [],
"aliases": [
"CVE-2025-30018"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T01:15:47Z",
"severity": "HIGH"
},
"details": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application\u0027s confidentiality, with no effect on integrity and availability of the application.",
"id": "GHSA-wwrf-457v-6cqw",
"modified": "2025-05-13T03:31:13Z",
"published": "2025-05-13T03:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30018"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3578900"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWVH-435Q-GW8H
Vulnerability from github – Published: 2023-09-14 03:30 – Updated: 2023-09-14 03:30The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
{
"affected": [],
"aliases": [
"CVE-2023-41369"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T02:15:12Z",
"severity": null
},
"details": "The Create Single Payment application of SAP S/4HANA\u00a0- versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment.\u00a0When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the\u00a0entity loops to slow down the browser.\n\n",
"id": "GHSA-wwvh-435q-gw8h",
"modified": "2023-09-14T03:30:32Z",
"published": "2023-09-14T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41369"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3369680"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WX5C-XGRP-9RGR
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program.
{
"affected": [],
"aliases": [
"CVE-2020-12025"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-14T13:15:00Z",
"severity": "MODERATE"
},
"details": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program.",
"id": "GHSA-wx5c-xgrp-9rgr",
"modified": "2022-05-24T17:22:51Z",
"published": "2022-05-24T17:22:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12025"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WXGQ-MV23-PGQR
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:06LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.
{
"affected": [],
"aliases": [
"CVE-2019-13031"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-28T23:15:00Z",
"severity": "HIGH"
},
"details": "LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a \"deny all\" rule.",
"id": "GHSA-wxgq-mv23-pgqr",
"modified": "2024-04-04T01:06:35Z",
"published": "2022-05-24T16:49:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13031"
},
{
"type": "WEB",
"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1820"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00003.html"
},
{
"type": "WEB",
"url": "https://www.calypt.com/blog/index.php/cve-2019-13031-xxe-on-lemonldapng-2-0-5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXPC-F9FQ-W9PQ
Vulnerability from github – Published: 2026-02-07 06:31 – Updated: 2026-02-07 06:31A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-2074"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T05:16:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-wxpc-f9fq-w9pq",
"modified": "2026-02-07T06:31:05Z",
"published": "2026-02-07T06:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2074"
},
{
"type": "WEB",
"url": "https://github.com/SourByte05/SourByte-Lab/issues/7"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344640"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344640"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.745486"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.745489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.