Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1693 vulnerabilities reference this CWE, most recent first.

GHSA-2MP8-QVQM-3XWQ

Vulnerability from github – Published: 2018-10-17 00:04 – Updated: 2023-09-26 11:23
VLAI
Summary
Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider
Details

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.restlet.jse:org.restlet.ext.jaxrs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-14868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:52:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.",
  "id": "GHSA-2mp8-qvqm-3xwq",
  "modified": "2023-09-26T11:23:36Z",
  "published": "2018-10-17T00:04:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14868"
    },
    {
      "type": "WEB",
      "url": "https://github.com/restlet/restlet-framework-java/issues/1286"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2mp8-qvqm-3xwq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/restlet/restlet-framework-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
    },
    {
      "type": "WEB",
      "url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider"
}

GHSA-2MPF-M756-HXJM

Vulnerability from github – Published: 2026-06-11 09:31 – Updated: 2026-06-11 09:31
VLAI
Details

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T07:16:27Z",
    "severity": "HIGH"
  },
  "details": "Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK\u0027s default DocumentBuilderFactory behavior instead of Spring\u0027s hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.",
  "id": "GHSA-2mpf-m756-hxjm",
  "modified": "2026-06-11T09:31:56Z",
  "published": "2026-06-11T09:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40998"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-40998"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P2J-5CRH-G4RM

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2024-01-13 06:30
VLAI
Details

An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-27T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.",
  "id": "GHSA-2p2j-5crh-g4rm",
  "modified": "2024-01-13T06:30:23Z",
  "published": "2022-05-24T17:32:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15352"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P76-GC46-5FVC

Vulnerability from github – Published: 2025-06-10 20:10 – Updated: 2025-06-10 20:10
VLAI
Summary
GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint
Details

Impact

GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.

This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files

Patches

GeoNetwork 4.4.8 / 4.2.13.

Workarounds

Remove the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, disabling the WFS Index functionality.

References

  • GHSA-826p-4gcg-35vw
  • https://github.com/geonetwork/core-geonetwork/pull/8757
  • https://github.com/geonetwork/core-geonetwork/pull/8803
  • https://github.com/geonetwork/core-geonetwork/pull/8812
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:gn-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.2.12"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:gn-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:gn-wfsfeature-harvester"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.2.12"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:gn-wfsfeature-harvester"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T20:10:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nGeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation. \n\nThis vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files \n\n### Patches\n\nGeoNetwork 4.4.8 / 4.2.13.\n\n### Workarounds\n\nRemove the ``gn-wfsfeature-harvester`` and ``gn-camelPeriodicProducer``  jars, disabling the WFS Index functionality. \n\n### References\n\n- [GHSA-826p-4gcg-35vw](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw)\n- https://github.com/geonetwork/core-geonetwork/pull/8757\n- https://github.com/geonetwork/core-geonetwork/pull/8803\n- https://github.com/geonetwork/core-geonetwork/pull/8812",
  "id": "GHSA-2p76-gc46-5fvc",
  "modified": "2025-06-10T20:10:42Z",
  "published": "2025-06-10T20:10:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geonetwork/core-geonetwork"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint"
}

GHSA-2P7R-HC45-R2QC

Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2025-04-20 03:46
VLAI
Details

The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-10T01:30:00Z",
    "severity": "CRITICAL"
  },
  "details": "The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.",
  "id": "GHSA-2p7r-hc45-r2qc",
  "modified": "2025-04-20T03:46:26Z",
  "published": "2022-05-14T01:05:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0030"
    },
    {
      "type": "WEB",
      "url": "https://liftsecurity.io/advisories/Apache_Roller_XML-RPC_susceptible_to_XXE"
    },
    {
      "type": "WEB",
      "url": "https://mail-archives.apache.org/mod_mbox/roller-dev/201401.mbox/%3CCAF1aazCMzDGB12Ls4t-SOwNA=OdguD010LX3yZGhk2GQHafFXw%40mail.gmail.com%3E"
    },
    {
      "type": "WEB",
      "url": "https://mail-archives.apache.org/mod_mbox/roller-dev/201401.mbox/%3CCAF1aazCMzDGB12Ls4t-SOwNA=OdguD010LX3yZGhk2GQHafFXw@mail.gmail.com%3E"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45341"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P7X-C866-R9JV

Vulnerability from github – Published: 2022-05-17 05:48 – Updated: 2024-02-21 21:30
VLAI
Details

The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-09-14T17:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.",
  "id": "GHSA-2p7x-c866-r9jv",
  "modified": "2024-02-21T21:30:21Z",
  "published": "2022-05-17T05:48:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3322"
    },
    {
      "type": "WEB",
      "url": "http://www.splunk.com/view/SP-CAAAFQ6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P96-WHQ9-48CC

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 146189.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-28T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 146189.",
  "id": "GHSA-2p96-whq9-48cc",
  "modified": "2022-05-13T01:32:56Z",
  "published": "2022-05-13T01:32:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1702"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/146189"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10719659"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PMP-X7WC-GXR9

Vulnerability from github – Published: 2025-11-06 21:31 – Updated: 2025-11-07 18:30
VLAI
Details

A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path /admin/#/webset/?head_tab_active=0, where user-provided XML data is processed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-06T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.",
  "id": "GHSA-2pmp-x7wc-gxr9",
  "modified": "2025-11-07T18:30:28Z",
  "published": "2025-11-06T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63551"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2Q24-6F8M-PFJW

Vulnerability from github – Published: 2022-05-14 03:43 – Updated: 2022-05-14 03:43
VLAI
Details

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-05T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.",
  "id": "GHSA-2q24-6f8m-pfjw",
  "modified": "2022-05-14T03:43:38Z",
  "published": "2022-05-14T03:43:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5789"
    },
    {
      "type": "WEB",
      "url": "https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2018-003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2Q8V-8987-RXR5

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI
Details

XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-20T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.",
  "id": "GHSA-2q8v-8987-rxr5",
  "modified": "2022-05-13T01:11:20Z",
  "published": "2022-05-13T01:11:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10077"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44493"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/147253/Geist-WatchDog-Console-3.2.2-XSS-XML-Injection-Insecure-Permissions.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.