CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1693 vulnerabilities reference this CWE, most recent first.
GHSA-2MP8-QVQM-3XWQ
Vulnerability from github – Published: 2018-10-17 00:04 – Updated: 2023-09-26 11:23Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.restlet.jse:org.restlet.ext.jaxrs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-14868"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:52:36Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.",
"id": "GHSA-2mp8-qvqm-3xwq",
"modified": "2023-09-26T11:23:36Z",
"published": "2018-10-17T00:04:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14868"
},
{
"type": "WEB",
"url": "https://github.com/restlet/restlet-framework-java/issues/1286"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2mp8-qvqm-3xwq"
},
{
"type": "PACKAGE",
"url": "https://github.com/restlet/restlet-framework-java"
},
{
"type": "WEB",
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"type": "WEB",
"url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider"
}
GHSA-2MPF-M756-HXJM
Vulnerability from github – Published: 2026-06-11 09:31 – Updated: 2026-06-11 09:31Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.
Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
{
"affected": [],
"aliases": [
"CVE-2026-40998"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T07:16:27Z",
"severity": "HIGH"
},
"details": "Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK\u0027s default DocumentBuilderFactory behavior instead of Spring\u0027s hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.",
"id": "GHSA-2mpf-m756-hxjm",
"modified": "2026-06-11T09:31:56Z",
"published": "2026-06-11T09:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40998"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-40998"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2P2J-5CRH-G4RM
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2024-01-13 06:30An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
{
"affected": [],
"aliases": [
"CVE-2020-15352"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T05:15:00Z",
"severity": "HIGH"
},
"details": "An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.",
"id": "GHSA-2p2j-5crh-g4rm",
"modified": "2024-01-13T06:30:23Z",
"published": "2022-05-24T17:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15352"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2P76-GC46-5FVC
Vulnerability from github – Published: 2025-06-10 20:10 – Updated: 2025-06-10 20:10Impact
GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.
This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files
Patches
GeoNetwork 4.4.8 / 4.2.13.
Workarounds
Remove the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, disabling the WFS Index functionality.
References
- GHSA-826p-4gcg-35vw
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.geonetwork-opensource:gn-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.12"
},
"package": {
"ecosystem": "Maven",
"name": "org.geonetwork-opensource:gn-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.geonetwork-opensource:gn-wfsfeature-harvester"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.12"
},
"package": {
"ecosystem": "Maven",
"name": "org.geonetwork-opensource:gn-wfsfeature-harvester"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-10T20:10:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nGeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation. \n\nThis vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files \n\n### Patches\n\nGeoNetwork 4.4.8 / 4.2.13.\n\n### Workarounds\n\nRemove the ``gn-wfsfeature-harvester`` and ``gn-camelPeriodicProducer`` jars, disabling the WFS Index functionality. \n\n### References\n\n- [GHSA-826p-4gcg-35vw](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw)\n- https://github.com/geonetwork/core-geonetwork/pull/8757\n- https://github.com/geonetwork/core-geonetwork/pull/8803\n- https://github.com/geonetwork/core-geonetwork/pull/8812",
"id": "GHSA-2p76-gc46-5fvc",
"modified": "2025-06-10T20:10:42Z",
"published": "2025-06-10T20:10:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
},
{
"type": "WEB",
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
},
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
},
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
},
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
},
{
"type": "PACKAGE",
"url": "https://github.com/geonetwork/core-geonetwork"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint"
}
GHSA-2P7R-HC45-R2QC
Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2025-04-20 03:46The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2014-0030"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T01:30:00Z",
"severity": "CRITICAL"
},
"details": "The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.",
"id": "GHSA-2p7r-hc45-r2qc",
"modified": "2025-04-20T03:46:26Z",
"published": "2022-05-14T01:05:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0030"
},
{
"type": "WEB",
"url": "https://liftsecurity.io/advisories/Apache_Roller_XML-RPC_susceptible_to_XXE"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/roller-dev/201401.mbox/%3CCAF1aazCMzDGB12Ls4t-SOwNA=OdguD010LX3yZGhk2GQHafFXw%40mail.gmail.com%3E"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/roller-dev/201401.mbox/%3CCAF1aazCMzDGB12Ls4t-SOwNA=OdguD010LX3yZGhk2GQHafFXw@mail.gmail.com%3E"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45341"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2P7X-C866-R9JV
Vulnerability from github – Published: 2022-05-17 05:48 – Updated: 2024-02-21 21:30The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.
{
"affected": [],
"aliases": [
"CVE-2010-3322"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-09-14T17:00:00Z",
"severity": "MODERATE"
},
"details": "The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.",
"id": "GHSA-2p7x-c866-r9jv",
"modified": "2024-02-21T21:30:21Z",
"published": "2022-05-17T05:48:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3322"
},
{
"type": "WEB",
"url": "http://www.splunk.com/view/SP-CAAAFQ6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2P96-WHQ9-48CC
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 146189.
{
"affected": [],
"aliases": [
"CVE-2018-1702"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-28T13:29:00Z",
"severity": "HIGH"
},
"details": "IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 146189.",
"id": "GHSA-2p96-whq9-48cc",
"modified": "2022-05-13T01:32:56Z",
"published": "2022-05-13T01:32:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1702"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/146189"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10719659"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2PMP-X7WC-GXR9
Vulnerability from github – Published: 2025-11-06 21:31 – Updated: 2025-11-07 18:30A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path /admin/#/webset/?head_tab_active=0, where user-provided XML data is processed.
{
"affected": [],
"aliases": [
"CVE-2025-63551"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T19:15:43Z",
"severity": "HIGH"
},
"details": "A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.",
"id": "GHSA-2pmp-x7wc-gxr9",
"modified": "2025-11-07T18:30:28Z",
"published": "2025-11-06T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63551"
},
{
"type": "WEB",
"url": "https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection"
},
{
"type": "WEB",
"url": "https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2Q24-6F8M-PFJW
Vulnerability from github – Published: 2022-05-14 03:43 – Updated: 2022-05-14 03:43An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.
{
"affected": [],
"aliases": [
"CVE-2018-5789"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-05T04:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.",
"id": "GHSA-2q24-6f8m-pfjw",
"modified": "2022-05-14T03:43:38Z",
"published": "2022-05-14T03:43:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5789"
},
{
"type": "WEB",
"url": "https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2018-003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2Q8V-8987-RXR5
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.
{
"affected": [],
"aliases": [
"CVE-2018-10077"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-20T21:29:00Z",
"severity": "MODERATE"
},
"details": "XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.",
"id": "GHSA-2q8v-8987-rxr5",
"modified": "2022-05-13T01:11:20Z",
"published": "2022-05-13T01:11:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10077"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44493"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/147253/Geist-WatchDog-Console-3.2.2-XSS-XML-Injection-Insecure-Permissions.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.