Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-4FXW-3P35-Q323

Vulnerability from github – Published: 2026-04-16 12:31 – Updated: 2026-04-16 12:31
VLAI
Details

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.

By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-16T10:16:14Z",
    "severity": "LOW"
  },
  "details": "The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.\n\nBy leveraging this vulnerability, a malicious actor can read confidential files from the product\u0027s file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.",
  "id": "GHSA-4fxw-3p35-q323",
  "modified": "2026-04-16T12:31:41Z",
  "published": "2026-04-16T12:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8010"
    },
    {
      "type": "WEB",
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G2H-VM7X-747C

Vulnerability from github – Published: 2026-03-23 12:30 – Updated: 2026-04-06 23:16
VLAI
Summary
esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages
Details

XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.

esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.

This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "esaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T19:50:48Z",
    "nvd_published_at": "2026-03-23T11:16:24Z",
    "severity": "MODERATE"
  },
  "details": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.",
  "id": "GHSA-4g2h-vm7x-747c",
  "modified": "2026-04-06T23:16:15Z",
  "published": "2026-03-23T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28809"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-28809.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/arekinath/esaml"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28809"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages"
}

GHSA-4G7H-GHM5-8QMM

Vulnerability from github – Published: 2022-05-14 01:20 – Updated: 2025-04-20 03:40
VLAI
Details

LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "HIGH"
  },
  "details": "LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.",
  "id": "GHSA-4g7h-ghm5-8qmm",
  "modified": "2025-04-20T03:40:42Z",
  "published": "2022-05-14T01:20:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000021"
    },
    {
      "type": "WEB",
      "url": "http://blog.randorisec.fr/logicaldoc-from-guest-to-root"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HGP-8WGC-7F64

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI
Details

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-28T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.",
  "id": "GHSA-4hgp-8wgc-7f64",
  "modified": "2022-05-24T17:49:05Z",
  "published": "2022-05-24T17:49:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25165"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-010.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4HVH-M426-WV8W

Vulnerability from github – Published: 2024-08-30 03:30 – Updated: 2026-05-12 12:32
VLAI
Details

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-30T03:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.",
  "id": "GHSA-4hvh-m426-wv8w",
  "modified": "2026-05-12T12:32:05Z",
  "published": "2024-08-30T03:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45490"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/issues/887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/pull/890"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241018-0004"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/10"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/6"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/7"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4J86-QHX5-3QV8

Vulnerability from github – Published: 2023-10-23 06:33 – Updated: 2023-11-01 18:30
VLAI
Details

CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-23T05:15:07Z",
    "severity": "MODERATE"
  },
  "details": "CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)  contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.",
  "id": "GHSA-4j86-qhx5-3qv8",
  "modified": "2023-11-01T18:30:30Z",
  "published": "2023-10-23T06:33:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43624"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU98683567"
    },
    {
      "type": "WEB",
      "url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4J9M-F26M-GCF5

Vulnerability from github – Published: 2025-07-23 00:30 – Updated: 2025-07-23 00:30
VLAI
Details

Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T22:15:38Z",
    "severity": "HIGH"
  },
  "details": "Lantronix\u00a0Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed.",
  "id": "GHSA-4j9m-f26m-gcf5",
  "modified": "2025-07-23T00:30:32Z",
  "published": "2025-07-23T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7766"
    },
    {
      "type": "WEB",
      "url": "https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/105906637/Latest+Version+of+Lantronix+Provisioning+Manager+LPM"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4J9X-G4X8-VCMF

Vulnerability from github – Published: 2024-06-07 21:15 – Updated: 2024-06-07 21:15
VLAI
Summary
ZendFramework potential XML eXternal Entity injection vectors
Details

Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.

A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T21:15:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "`Zend_Feed_Rss` and `Zend_Feed_Atom` were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP\u0027s DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.\n\nA similar issue was fixed for 1.11.13 and 1.12.0, in the `Zend_Feed::import()` factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.",
  "id": "GHSA-4j9x-g4x8-vcmf",
  "modified": "2024-06-07T21:15:56Z",
  "published": "2024-06-07T21:15:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2012-05"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-05.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zf1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ZendFramework potential XML eXternal Entity injection vectors"
}

GHSA-4JX2-HVQW-93J9

Vulnerability from github – Published: 2023-02-20 12:30 – Updated: 2024-03-01 14:29
VLAI
Summary
dd-plist XML External Entitly vulnerability
Details

A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.googlecode.plist:dd-plist"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-15026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T00:08:04Z",
    "nvd_published_at": "2023-02-20T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.",
  "id": "GHSA-4jx2-hvqw-93j9",
  "modified": "2024-03-01T14:29:42Z",
  "published": "2023-02-20T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-15026"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3breadt/dd-plist/pull/26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/3breadt/dd-plist"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3breadt/dd-plist/releases/tag/dd-plist-1.18"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.221486"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.221486"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dd-plist XML External Entitly vulnerability"
}

GHSA-4M3J-93MG-C6G3

Vulnerability from github – Published: 2022-05-14 03:50 – Updated: 2022-05-14 03:50
VLAI
Details

A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-15T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service\u0027s account hashed credentials to a remote attacker.",
  "id": "GHSA-4m3j-93mg-c6g3",
  "modified": "2022-05-14T03:50:40Z",
  "published": "2022-05-14T03:50:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14101"
    },
    {
      "type": "WEB",
      "url": "https://technical.nttsecurity.com/post/102emjg/conserus-image-repository-xml-external-entity-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.