CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-XV2G-H4P5-M8RQ
Vulnerability from github – Published: 2022-05-14 01:15 – Updated: 2022-05-14 01:15Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka "Windows System Information Console Information Disclosure Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8557"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "MODERATE"
},
"details": "Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka \"Windows System Information Console Information Disclosure Vulnerability\".",
"id": "GHSA-xv2g-h4p5-m8rq",
"modified": "2022-05-14T01:15:21Z",
"published": "2022-05-14T01:15:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8557"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8557"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99387"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99398"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038855"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XVHF-Q744-5XM8
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-14 05:26NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.
NUnit Plugin 0.26 disables external entity processing for its XML parser.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:nunit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2115"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-14T05:26:14Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "HIGH"
},
"details": "NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.\n\nNUnit Plugin 0.26 disables external entity processing for its XML parser.",
"id": "GHSA-xvhf-q744-5xm8",
"modified": "2023-01-14T05:26:14Z",
"published": "2022-05-24T17:08:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2115"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/nunit-plugin/commit/8f0b6a7b6a927c4b7003fdcd76862a3348b8205a"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/nunit-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1752"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in NUnit Plugin"
}
GHSA-XVM2-9XVC-HX7F
Vulnerability from github – Published: 2022-03-02 21:30 – Updated: 2022-03-10 15:48Impact
Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.
Patches
Upgrade to version 2.1.0.
Workarounds
No known workaround.
References
https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73
For more information
If you have any questions or comments about this advisory: * Open an issue in monitorjbl/excel-streaming-reader
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.monitorjbl:xlsx-streamer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23640"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-02T21:30:54Z",
"nvd_published_at": "2022-03-02T20:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nPrior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.\n\n### Patches\nUpgrade to version 2.1.0.\n\n### Workarounds\nNo known workaround.\n\n### References\nhttps://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [monitorjbl/excel-streaming-reader](https://github.com/monitorjbl/excel-streaming-reader)\n\n",
"id": "GHSA-xvm2-9xvc-hx7f",
"modified": "2022-03-10T15:48:44Z",
"published": "2022-03-02T21:30:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/monitorjbl/excel-streaming-reader/security/advisories/GHSA-xvm2-9xvc-hx7f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23640"
},
{
"type": "WEB",
"url": "https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73"
},
{
"type": "WEB",
"url": "https://github.com/monitorjbl/excel-streaming-reader"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer"
}
GHSA-XVV2-CW9Q-2M9R
Vulnerability from github – Published: 2022-07-20 00:00 – Updated: 2022-07-28 00:00Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.
{
"affected": [],
"aliases": [
"CVE-2022-34001"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-19T17:15:00Z",
"severity": "MODERATE"
},
"details": "Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.",
"id": "GHSA-xvv2-cw9q-2m9r",
"modified": "2022-07-28T00:00:43Z",
"published": "2022-07-20T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34001"
},
{
"type": "WEB",
"url": "https://prisminfosec.com/cve-2022-34001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XVW8-MQG6-CCHX
Vulnerability from github – Published: 2025-03-07 18:31 – Updated: 2025-03-07 18:31IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2025-0162"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-07T17:15:21Z",
"severity": "HIGH"
},
"details": "IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
"id": "GHSA-xvw8-mqg6-cchx",
"modified": "2025-03-07T18:31:06Z",
"published": "2025-03-07T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0162"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7185096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XW5H-CMH3-8J6J
Vulnerability from github – Published: 2026-06-12 12:31 – Updated: 2026-07-10 12:31Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
{
"affected": [],
"aliases": [
"CVE-2026-49875"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T10:16:22Z",
"severity": "CRITICAL"
},
"details": "Apache CXF\u0027s EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.",
"id": "GHSA-xw5h-cmh3-8j6j",
"modified": "2026-07-10T12:31:37Z",
"published": "2026-06-12T12:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49875"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36839"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37390"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-49875"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488309"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49875.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/11/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWQQ-PCG2-PPHR
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-05-18 00:31Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.
{
"affected": [],
"aliases": [
"CVE-2024-39847"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:36Z",
"severity": "HIGH"
},
"details": "Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.",
"id": "GHSA-xwqq-pcg2-pphr",
"modified": "2026-05-18T00:31:35Z",
"published": "2026-04-30T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39847"
},
{
"type": "WEB",
"url": "https://4d.com"
},
{
"type": "WEB",
"url": "https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2026/May/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XX66-M4R3-R5VF
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6.
{
"affected": [],
"aliases": [
"CVE-2021-30201"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-09T14:15:00Z",
"severity": "HIGH"
},
"details": "An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6.",
"id": "GHSA-xx66-m4r3-r5vf",
"modified": "2022-05-24T19:07:22Z",
"published": "2022-05-24T19:07:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30201"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2021-30201"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"type": "WEB",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XX6G-8FH5-HQ6C
Vulnerability from github – Published: 2024-10-09 09:31 – Updated: 2024-10-09 09:31Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2024-39586"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T07:15:09Z",
"severity": "LOW"
},
"details": "Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.",
"id": "GHSA-xx6g-8fh5-hq6c",
"modified": "2024-10-09T09:31:35Z",
"published": "2024-10-09T09:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39586"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XX7G-F287-F9FQ
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2023-10-27 11:34Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Liquibase Runner Plugin 1.4.7 no longer parses Liquibase changesets.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.5"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:liquibase-runner"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2284"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-19T23:52:27Z",
"nvd_published_at": "2020-09-23T14:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Liquibase Runner Plugin 1.4.7 no longer parses Liquibase changesets.",
"id": "GHSA-xx7g-f287-f9fq",
"modified": "2023-10-27T11:34:49Z",
"published": "2022-05-24T17:29:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2284"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/liquibase-runner-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-1887"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/09/23/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Liquibase Runner Plugin"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.