CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-24HM-WM2H-H8W7
Vulnerability from github – Published: 2025-11-28 06:32 – Updated: 2026-01-29 03:30Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "peppol_py"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66371"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-01T23:57:53Z",
"nvd_published_at": "2025-11-28T04:16:01Z",
"severity": "MODERATE"
},
"details": "Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.",
"id": "GHSA-24hm-wm2h-h8w7",
"modified": "2026-01-29T03:30:58Z",
"published": "2025-11-28T06:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66371"
},
{
"type": "WEB",
"url": "https://github.com/iterasdev/peppol-py/pull/16"
},
{
"type": "WEB",
"url": "https://github.com/iterasdev/peppol-py/commit/349a4bff8adb6205ea411bac8d7a06da0477abd7"
},
{
"type": "PACKAGE",
"url": "https://github.com/iterasdev/peppol-py"
},
{
"type": "WEB",
"url": "https://github.com/iterasdev/peppol-py/releases/tag/1.1.1"
},
{
"type": "WEB",
"url": "https://invoice.secvuln.info"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Peppol-py is vulnerable to XXE attacks due to Saxon configuration"
}
GHSA-24R8-JMFH-R268
Vulnerability from github – Published: 2023-02-01 00:30 – Updated: 2025-03-27 15:30Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).
{
"affected": [],
"aliases": [
"CVE-2022-47873"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-31T23:15:00Z",
"severity": "CRITICAL"
},
"details": "Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).",
"id": "GHSA-24r8-jmfh-r268",
"modified": "2025-03-27T15:30:37Z",
"published": "2023-02-01T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47873"
},
{
"type": "WEB",
"url": "https://fordefence.com/cve-2022-47873-keos-software-xx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-24RG-9RHW-M9GH
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.
{
"affected": [],
"aliases": [
"CVE-2019-0791"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T21:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027. This CVE ID is unique from CVE-2019-0790, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.",
"id": "GHSA-24rg-9rhw-m9gh",
"modified": "2022-05-14T01:11:01Z",
"published": "2022-05-14T01:11:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0791"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0791"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107726"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-24WF-7VF2-PV59
Vulnerability from github – Published: 2021-06-28 16:38 – Updated: 2021-06-25 13:06Impact
Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.
Patches
Fixed with: https://github.com/reportportal/service-api/pull/1392
Binaries
docker pull reportportal/service-api:5.4.0
https://github.com/reportportal/service-api/packages/846871?version=5.4.0
For more information
If you have any questions or comments about this advisory email us: support@reportportal.io
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.epam.reportportal:service-api"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "5.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29620"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-25T13:06:33Z",
"nvd_published_at": "2021-06-23T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nStarting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.\n\n### Patches\nFixed with: https://github.com/reportportal/service-api/pull/1392\n\n### Binaries\n`docker pull reportportal/service-api:5.4.0`\nhttps://github.com/reportportal/service-api/packages/846871?version=5.4.0\n\n### For more information\nIf you have any questions or comments about this advisory email us: [support@reportportal.io](mailto:support@reportportal.io)\n",
"id": "GHSA-24wf-7vf2-pv59",
"modified": "2021-06-25T13:06:33Z",
"published": "2021-06-28T16:38:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29620"
},
{
"type": "WEB",
"url": "https://github.com/reportportal/service-api/pull/1392"
},
{
"type": "WEB",
"url": "https://github.com/reportportal/service-api/commit/a73e0dfb4eda844c37139df1f9847013d55f084e"
},
{
"type": "WEB",
"url": "https://mvnrepository.com/artifact/com.epam.reportportal/service-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability on Launch import with externally-defined DTD file"
}
GHSA-253C-2JPF-7JP9
Vulnerability from github – Published: 2023-04-11 03:31 – Updated: 2023-04-15 00:30Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
{
"affected": [],
"aliases": [
"CVE-2023-28340"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T01:15:00Z",
"severity": "MODERATE"
},
"details": "Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.",
"id": "GHSA-253c-2jpf-7jp9",
"modified": "2023-04-15T00:30:37Z",
"published": "2023-04-11T03:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28340"
},
{
"type": "WEB",
"url": "https://manageengine.com"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28340.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-256F-5WHX-5J84
Vulnerability from github – Published: 2025-08-27 00:31 – Updated: 2025-08-27 00:31Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31.
{
"affected": [],
"aliases": [
"CVE-2025-35112"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T23:15:35Z",
"severity": "LOW"
},
"details": "Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows \u0027import/export\u0027, allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31.",
"id": "GHSA-256f-5whx-5j84",
"modified": "2025-08-27T00:31:16Z",
"published": "2025-08-27T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35112"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-239-01.json"
},
{
"type": "WEB",
"url": "https://wiki.agiloft.com/display/HELP/What%27s+New%3A+CVE+Resolution"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2589-88HX-72GF
Vulnerability from github – Published: 2026-05-26 21:31 – Updated: 2026-05-26 21:31IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2026-3603"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T19:16:27Z",
"severity": "HIGH"
},
"details": "IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
"id": "GHSA-2589-88hx-72gf",
"modified": "2026-05-26T21:31:58Z",
"published": "2026-05-26T21:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3603"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7274078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-258X-99J8-QCX3
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775.
{
"affected": [],
"aliases": [
"CVE-2021-29831"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-21T16:15:00Z",
"severity": "HIGH"
},
"details": "IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775.",
"id": "GHSA-258x-99j8-qcx3",
"modified": "2022-05-24T19:15:24Z",
"published": "2022-05-24T19:15:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29831"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204775"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6490905"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-25M5-5HWM-RP7R
Vulnerability from github – Published: 2023-04-05 18:30 – Updated: 2023-04-11 21:31A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials.
{
"affected": [],
"aliases": [
"CVE-2023-20030"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-05T16:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials.",
"id": "GHSA-25m5-5hwm-rp7r",
"modified": "2023-04-11T21:31:08Z",
"published": "2023-04-05T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20030"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-GecEHY58"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-264H-J8R7-HF4R
Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2018-16166"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-09T23:29:00Z",
"severity": "HIGH"
},
"details": "LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.",
"id": "GHSA-264h-j8r7-hf4r",
"modified": "2022-05-14T01:38:50Z",
"published": "2022-05-14T01:38:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16166"
},
{
"type": "WEB",
"url": "https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.1"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU98026636/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.