CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-5P52-J8PW-J7X5
Vulnerability from github – Published: 2018-12-19 19:24 – Updated: 2024-05-15 06:56Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.bedework:bw-webdav"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.1"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-20000"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:16:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.",
"id": "GHSA-5p52-j8pw-j7x5",
"modified": "2024-05-15T06:56:33Z",
"published": "2018-12-19T19:24:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20000"
},
{
"type": "WEB",
"url": "https://github.com/Bedework/bw-webdav/pull/1"
},
{
"type": "PACKAGE",
"url": "https://github.com/Bedework/bw-webdav"
},
{
"type": "WEB",
"url": "https://github.com/Bedework/bw-webdav/compare/bw-webdav-4.0.2...bw-webdav-4.0.3"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5p52-j8pw-j7x5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in bedework:bw-webdav"
}
GHSA-5P7J-5G9R-9WJX
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
{
"affected": [],
"aliases": [
"CVE-2026-48359"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T20:17:08Z",
"severity": "CRITICAL"
},
"details": "Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed.",
"id": "GHSA-5p7j-5g9r-9wjx",
"modified": "2026-07-14T21:32:20Z",
"published": "2026-07-14T21:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48359"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5PGH-9CW4-W53H
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:39A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-1057"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-14T21:15:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027.",
"id": "GHSA-5pgh-9cw4-w53h",
"modified": "2024-04-04T01:39:07Z",
"published": "2022-05-24T16:53:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1057"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1057"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5PV4-G6J5-P5RV
Vulnerability from github – Published: 2022-05-14 03:33 – Updated: 2022-05-14 03:33An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.
{
"affected": [],
"aliases": [
"CVE-2018-6225"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-15T19:29:00Z",
"severity": "MODERATE"
},
"details": "An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.",
"id": "GHSA-5pv4-g6j5-p5rv",
"modified": "2022-05-14T03:33:42Z",
"published": "2022-05-14T03:33:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6225"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/1119349"
},
{
"type": "WEB",
"url": "https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5PXW-MXGG-M48C
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-08 00:00SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
{
"affected": [],
"aliases": [
"CVE-2022-23170"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T15:15:00Z",
"severity": "CRITICAL"
},
"details": "SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter\u0027s value and searching for the AssertionConsumerServiceURL parameter\u0027s value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.",
"id": "GHSA-5pxw-mxgg-m48c",
"modified": "2022-07-08T00:00:46Z",
"published": "2022-06-25T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23170"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5RQW-G4V8-6VXC
Vulnerability from github – Published: 2022-05-14 03:41 – Updated: 2022-05-14 03:41Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.
{
"affected": [],
"aliases": [
"CVE-2018-2393"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-14T12:29:00Z",
"severity": "HIGH"
},
"details": "Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.",
"id": "GHSA-5rqw-g4v8-6vxc",
"modified": "2022-05-14T03:41:07Z",
"published": "2022-05-14T03:41:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2393"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2525222"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5V3W-GV84-5CV3
Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2022-05-17 02:46IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515.
{
"affected": [],
"aliases": [
"CVE-2016-9691"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-05T19:29:00Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515.",
"id": "GHSA-5v3w-gv84-5cv3",
"modified": "2022-05-17T02:46:02Z",
"published": "2022-05-17T02:46:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9691"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21998014"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98338"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5V43-55M5-QR8F
Vulnerability from github – Published: 2022-05-17 03:06 – Updated: 2025-03-31 13:40getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "james-heinrich/getid3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-2053"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T22:47:38Z",
"nvd_published_at": "2014-06-04T14:55:00Z",
"severity": "HIGH"
},
"details": "getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.",
"id": "GHSA-5v43-55m5-qr8f",
"modified": "2025-03-31T13:40:17Z",
"published": "2022-05-17T03:06:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2053"
},
{
"type": "WEB",
"url": "https://github.com/JamesHeinrich/getID3/commit/afbdaa044a9a0a9dff2f800bd670e231b3ec99b2"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/james-heinrich/getid3/CVE-2014-2053.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/JamesHeinrich/getID3"
},
{
"type": "WEB",
"url": "https://wordpress.org/news/2014/08/wordpress-3-9-2"
},
{
"type": "WEB",
"url": "http://getid3.sourceforge.net/source/changelog.txt"
},
{
"type": "WEB",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/58002"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-3001"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "getID3 is vulnerable to XML External Entity (XXE)"
}
GHSA-5V8C-888F-WWXG
Vulnerability from github – Published: 2025-10-06 18:31 – Updated: 2025-10-06 18:31A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
{
"affected": [],
"aliases": [
"CVE-2025-11341"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-06T17:16:04Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo\u0026style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.",
"id": "GHSA-5v8c-888f-wwxg",
"modified": "2025-10-06T18:31:06Z",
"published": "2025-10-06T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11341"
},
{
"type": "WEB",
"url": "https://github.com/rookie1006/CVE/issues/2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.327226"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.327226"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.664613"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5W88-3V56-G4XC
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-12-06 21:30IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.
{
"affected": [],
"aliases": [
"CVE-2019-4456"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-30T14:15:00Z",
"severity": "HIGH"
},
"details": "IBM Daeja ViewONE Professional, Standard \u0026 Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.",
"id": "GHSA-5w88-3v56-g4xc",
"modified": "2022-12-06T21:30:44Z",
"published": "2022-05-24T16:51:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4456"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/163620"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10959177"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.