CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-3HMG-CM34-VRF6
Vulnerability from github – Published: 2023-11-17 15:30 – Updated: 2023-11-17 15:30Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2023-22274"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-17T13:15:08Z",
"severity": "HIGH"
},
"details": "Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.",
"id": "GHSA-3hmg-cm34-vrf6",
"modified": "2023-11-17T15:30:26Z",
"published": "2023-11-17T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22274"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/robohelp-server/apsb23-53.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3HQ4-5QPG-7776
Vulnerability from github – Published: 2023-02-22 00:30 – Updated: 2023-03-03 15:30VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2023-20855"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-22T00:15:00Z",
"severity": "HIGH"
},
"details": "VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.",
"id": "GHSA-3hq4-5qpg-7776",
"modified": "2023-03-03T15:30:24Z",
"published": "2023-02-22T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20855"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2023-0005.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3HRC-F439-727G
Vulnerability from github – Published: 2018-10-16 23:08 – Updated: 2022-11-17 18:38XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.14.0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-0263"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:55:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.",
"id": "GHSA-3hrc-f439-727g",
"modified": "2022-11-17T18:38:58Z",
"published": "2018-10-16T23:08:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
},
{
"type": "WEB",
"url": "https://github.com/apache/camel/commit/06db9e0744f2bb9f6e3bf16c0dfe7099a3481558"
},
{
"type": "WEB",
"url": "https://github.com/apache/camel/commit/367d53e73c8b5a1e73c24423e631709f9a96e08d"
},
{
"type": "WEB",
"url": "https://github.com/apache/camel/commit/7d19340bcdb42f7aae584d9c5003ac4f7ddaee36"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
},
{
"type": "WEB",
"url": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3hrc-f439-727g"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/camel"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/CAMEL-8312"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1032442"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Apache Camel XML External Entity vulnerability"
}
GHSA-3J9C-CP7M-8W8G
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2025-03-13 17:48XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.626"
},
{
"fixed": "1.638"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.625.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5319"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T17:48:30Z",
"nvd_published_at": "2015-11-25T20:59:00Z",
"severity": "MODERATE"
},
"details": "XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an \"XML-aware tool,\" as demonstrated by get-job and update-job.",
"id": "GHSA-3j9c-cp7m-8w8g",
"modified": "2025-03-13T17:48:30Z",
"published": "2022-05-13T01:30:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5319"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/e78e9e8144f7304cf274cd4b756f458cf63a3556"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:0070"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jenkins has XML External Entity (XXE) Vulnerability in Job Configuration via CLI"
}
GHSA-3JW3-99X8-H6XC
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
{
"affected": [],
"aliases": [
"CVE-2021-27736"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T14:15:00Z",
"severity": "MODERATE"
},
"details": "FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.",
"id": "GHSA-3jw3-99x8-h6xc",
"modified": "2022-05-24T17:48:09Z",
"published": "2022-05-24T17:48:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27736"
},
{
"type": "WEB",
"url": "https://github.com/FusionAuth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd"
},
{
"type": "WEB",
"url": "https://github.com/FusionAuth/fusionauth-samlv2/compare/0.5.3...0.5.4"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/fileadmin/Research/Advisories/2021-03_CSNC-2021-004_FusionAuth_SAML_Library_XML_External_Entity.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3M9X-2QFJ-XVQ4
Vulnerability from github – Published: 2024-11-07 17:28 – Updated: 2024-11-07 17:28PHPExcel XXE Vulnerability
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpexcel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-3542"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-07T17:28:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "PHPExcel XXE Vulnerability",
"id": "GHSA-3m9x-2qfj-xvq4",
"modified": "2024-11-07T17:28:59Z",
"published": "2024-11-07T17:28:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PHPExcel/commit/0ab614fd952f82f9b7a9280731daa2300e6b000c"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpexcel/CVE-2015-3542.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PHPExcel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PHPExcel XXE Vulnerability"
}
GHSA-3MJP-86XG-FF9V
Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-08 00:00Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 and 11.6.600 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly.
{
"affected": [],
"aliases": [
"CVE-2022-2330"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-30T08:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 and 11.6.600 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn\u0027t usually have access to via a carefully constructed XML file, which the DLP Agent doesn\u0027t parse correctly.",
"id": "GHSA-3mjp-86xg-ff9v",
"modified": "2022-09-08T00:00:39Z",
"published": "2022-08-31T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2330"
},
{
"type": "WEB",
"url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10386"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MJQ-GR7R-H6X3
Vulnerability from github – Published: 2024-11-18 21:30 – Updated: 2025-10-20 18:30An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file.
{
"affected": [],
"aliases": [
"CVE-2024-50848"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T21:15:06Z",
"severity": "MODERATE"
},
"details": "An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file.",
"id": "GHSA-3mjq-gr7r-h6x3",
"modified": "2025-10-20T18:30:29Z",
"published": "2024-11-18T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50848"
},
{
"type": "WEB",
"url": "https://github.com/1mhr4b/CVE-2024-50848"
},
{
"type": "WEB",
"url": "https://github.com/Wh1teSnak3/CVE-2024-50848"
},
{
"type": "WEB",
"url": "https://www.trados.com/product/worldserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MMX-QQMQ-RM69
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.
{
"affected": [],
"aliases": [
"CVE-2020-4949"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-26T15:15:00Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.",
"id": "GHSA-3mmx-qqmq-rm69",
"modified": "2022-05-24T17:40:18Z",
"published": "2022-05-24T17:40:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4949"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192025"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6408244"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3MWF-3W9J-82VF
Vulnerability from github – Published: 2026-06-09 21:32 – Updated: 2026-06-09 21:32ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
{
"affected": [],
"aliases": [
"CVE-2026-47960"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T21:17:24Z",
"severity": "HIGH"
},
"details": "ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.",
"id": "GHSA-3mwf-3w9j-82vf",
"modified": "2026-06-09T21:32:39Z",
"published": "2026-06-09T21:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47960"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.