Common Weakness Enumeration

CWE-776

Allowed

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Abstraction: Base · Status: Draft

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

143 vulnerabilities reference this CWE, most recent first.

GHSA-8GC5-J5RX-235R

Vulnerability from github – Published: 2026-03-17 19:45 – Updated: 2026-03-25 14:31
VLAI
Summary
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Details

Summary

The fix for CVE-2026-26278 added entity expansion limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references (&#NNN; and &#xHH;) and standard XML entities (<, >, etc.) are processed through a separate code path that does NOT enforce any expansion limits.

An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.

Affected Versions

fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)

Root Cause

In src/xmlparser/OrderedObjParser.js, the replaceEntitiesValue() function has two separate entity replacement loops:

  1. Lines 638-670: DOCTYPE entities — expansion counting with entityExpansionCount and currentExpandedLength tracking. This was the CVE-2026-26278 fix.
  2. Lines 674-677: lastEntities loop — replaces standard entities including num_dec (/&#([0-9]{1,7});/g) and num_hex (/&#x([0-9a-fA-F]{1,6});/g). This loop has NO expansion counting at all.

The numeric entity regex replacements at lines 97-98 are part of lastEntities and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.

Proof of Concept

const { XMLParser } = require('fast-xml-parser');

// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxTotalExpansions: 10,
    maxExpandedLength: 100,
    maxEntityCount: 1,
    maxEntitySize: 10
  }
});

// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'&#65;'.repeat(100000)}</root>`;
const result = parser.parse(xml);

// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length);  // 500000
console.log('Expected max:', 100);  // limit was 100

Results: - 100K &#65; references → 500,000 char output (5x default maxExpandedLength of 100,000) - 1M references → 5,000,000 char output, ~147MB memory consumed - Even with maxTotalExpansions=10 and maxExpandedLength=100, 10K references produce 50,000 chars - Hex entities (&#x41;) exhibit the same bypass

Impact

Denial of Service — An attacker who can provide XML input to applications using fast-xml-parser can cause: - Excessive memory allocation (147MB+ for 1M entity references) - CPU consumption during regex replacement - Potential process crash via OOM

This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.

Suggested Fix

Apply the same entityExpansionCount and currentExpandedLength tracking to the lastEntities loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.

Workaround

Set htmlEntities:false

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-beta.3"
            },
            {
              "fixed": "4.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T19:45:41Z",
    "nvd_published_at": "2026-03-20T06:16:11Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe fix for CVE-2026-26278 added entity expansion limits (`maxTotalExpansions`, `maxExpandedLength`, `maxEntityCount`, `maxEntitySize`) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. **Numeric character references** (`\u0026#NNN;` and `\u0026#xHH;`) and standard XML entities (`\u0026lt;`, `\u0026gt;`, etc.) are processed through a separate code path that does NOT enforce any expansion limits.\n\nAn attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.\n\n## Affected Versions\n\nfast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)\n\n## Root Cause\n\nIn `src/xmlparser/OrderedObjParser.js`, the `replaceEntitiesValue()` function has two separate entity replacement loops:\n\n1. **Lines 638-670**: DOCTYPE entities \u2014 expansion counting with `entityExpansionCount` and `currentExpandedLength` tracking. This was the CVE-2026-26278 fix.\n2. **Lines 674-677**: `lastEntities` loop \u2014 replaces standard entities including `num_dec` (`/\u0026#([0-9]{1,7});/g`) and `num_hex` (`/\u0026#x([0-9a-fA-F]{1,6});/g`). **This loop has NO expansion counting at all.**\n\nThe numeric entity regex replacements at lines 97-98 are part of `lastEntities` and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.\n\n## Proof of Concept\n\n```javascript\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\n// Even with strict explicit limits, numeric entities bypass them\nconst parser = new XMLParser({\n  processEntities: {\n    enabled: true,\n    maxTotalExpansions: 10,\n    maxExpandedLength: 100,\n    maxEntityCount: 1,\n    maxEntitySize: 10\n  }\n});\n\n// 100K numeric entity references \u2014 should be blocked by maxTotalExpansions=10\nconst xml = `\u003croot\u003e${\u0027\u0026#65;\u0027.repeat(100000)}\u003c/root\u003e`;\nconst result = parser.parse(xml);\n\n// Output: 500,000 chars \u2014 bypasses maxExpandedLength=100 completely\nconsole.log(\u0027Output length:\u0027, result.root.length);  // 500000\nconsole.log(\u0027Expected max:\u0027, 100);  // limit was 100\n```\n\n**Results:**\n- 100K `\u0026#65;` references \u2192 500,000 char output (5x default maxExpandedLength of 100,000)\n- 1M references \u2192 5,000,000 char output, ~147MB memory consumed\n- Even with `maxTotalExpansions=10` and `maxExpandedLength=100`, 10K references produce 50,000 chars\n- Hex entities (`\u0026#x41;`) exhibit the same bypass\n\n## Impact\n\n**Denial of Service** \u2014 An attacker who can provide XML input to applications using fast-xml-parser can cause:\n- Excessive memory allocation (147MB+ for 1M entity references)\n- CPU consumption during regex replacement\n- Potential process crash via OOM\n\nThis is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.\n\n## Suggested Fix\n\nApply the same `entityExpansionCount` and `currentExpandedLength` tracking to the `lastEntities` loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.\n\n## Workaround\n\nSet `htmlEntities:false`",
  "id": "GHSA-8gc5-j5rx-235r",
  "modified": "2026-03-25T14:31:39Z",
  "published": "2026-03-17T19:45:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"
}

GHSA-8W86-M9H8-HVQG

Vulnerability from github – Published: 2026-07-16 20:05 – Updated: 2026-07-16 20:05
VLAI
Summary
ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users
Details

Impact

The SQL IMPORT DATABASE statement did not require administrative privileges and passed its source URL to the importer without validation. Any authenticated user with SQL command access (not only root/administrators) could therefore:

  • Server-Side Request Forgery (CWE-918): cause the server to issue HTTP(S) requests to arbitrary destinations, including cloud metadata endpoints (e.g. 169.254.169.254) and internal-only services, and ingest the responses as queryable records.
  • Arbitrary local file read (CWE-22): read local files reachable by the server process (e.g. /etc/passwd, credential files) by importing file:// paths, exposing their contents as records.

The server administration endpoint (/api/v1/server) was already restricted to the root user and was not affected; the exposure was through the database SQL command/query endpoints (/api/v1/command, /api/v1/query).

A related lower-severity hardening gap (CWE-776): the XML importer did not disable DTD processing, leaving entity-expansion (Billion Laughs) possible.

Affected component

integration/src/main/java/com/arcadedb/integration/importer/SourceDiscovery.java (no host allow-list for http(s); no path validation for file://), reached from engine/.../query/sql/parser/ImportDatabaseStatement.java.

Patches

  • IMPORT DATABASE now requires the administrative updateSecurity permission (no-op in embedded mode).
  • Import sources are validated in SourceDiscovery: HTTP(S) hosts resolving to loopback / link-local / private (site-local) / wildcard / multicast addresses are blocked by default (arcadedb.server.security.importBlockLocalNetworks, default true), and an optional local-path allow-list (arcadedb.server.security.importAllowedLocalPaths) restricts file:// reads.
  • The XML importer now disables DTD processing and external entities.

Fixed in commit referenced by pull request #4422.

Workarounds

Restrict SQL command/query access to trusted administrative users; do not grant query access to untrusted users on servers that can reach sensitive networks or hold sensitive local files. Upgrading is strongly recommended.

Credit

Reported by Bin Luo (luob87709@gmail.com).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.arcadedb:arcadedb-engine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-776",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-16T20:05:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe SQL `IMPORT DATABASE` statement did not require administrative privileges and passed its source URL to the importer without validation. Any authenticated user with SQL command access (not only `root`/administrators) could therefore:\n\n- **Server-Side Request Forgery (CWE-918):** cause the server to issue HTTP(S) requests to arbitrary destinations, including cloud metadata endpoints (e.g. `169.254.169.254`) and internal-only services, and ingest the responses as queryable records.\n- **Arbitrary local file read (CWE-22):** read local files reachable by the server process (e.g. `/etc/passwd`, credential files) by importing `file://` paths, exposing their contents as records.\n\nThe server administration endpoint (`/api/v1/server`) was already restricted to the `root` user and was **not** affected; the exposure was through the database SQL command/query endpoints (`/api/v1/command`, `/api/v1/query`).\n\nA related lower-severity hardening gap (CWE-776): the XML importer did not disable DTD processing, leaving entity-expansion (Billion Laughs) possible.\n\n### Affected component\n\n`integration/src/main/java/com/arcadedb/integration/importer/SourceDiscovery.java` (no host allow-list for http(s); no path validation for `file://`), reached from `engine/.../query/sql/parser/ImportDatabaseStatement.java`.\n\n### Patches\n\n- `IMPORT DATABASE` now requires the administrative `updateSecurity` permission (no-op in embedded mode).\n- Import sources are validated in `SourceDiscovery`: HTTP(S) hosts resolving to loopback / link-local / private (site-local) / wildcard / multicast addresses are blocked by default (`arcadedb.server.security.importBlockLocalNetworks`, default `true`), and an optional local-path allow-list (`arcadedb.server.security.importAllowedLocalPaths`) restricts `file://` reads.\n- The XML importer now disables DTD processing and external entities.\n\nFixed in commit referenced by pull request [#4422](https://github.com/ArcadeData/arcadedb/pull/4422).\n\n### Workarounds\n\nRestrict SQL command/query access to trusted administrative users; do not grant query access to untrusted users on servers that can reach sensitive networks or hold sensitive local files. Upgrading is strongly recommended.\n\n### Credit\n\nReported by Bin Luo (luob87709@gmail.com).",
  "id": "GHSA-8w86-m9h8-hvqg",
  "modified": "2026-07-16T20:05:56Z",
  "published": "2026-07-16T20:05:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-8w86-m9h8-hvqg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ArcadeData/arcadedb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/releases/tag/26.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users"
}

GHSA-8X2V-PCG7-94F4

Vulnerability from github – Published: 2024-06-07 21:49 – Updated: 2024-06-07 21:49
VLAI
Summary
Zend-JSON vulnerable to XXE/XEE attacks
Details

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

  • XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
  • XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zend-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zend-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T21:49:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Numerous components utilizing PHP\u0027s DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.",
  "id": "GHSA-8x2v-pcg7-94f4",
  "modified": "2024-06-07T21:49:11Z",
  "published": "2024-06-07T21:49:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/078e77a6e59cdbf32a94691afe3523db340f5da9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/7a747fbefe566c28a94b7e7ca37c15fc09ba4754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/865f96ecbc5e080fccb5e75304ce06ac57d2ce22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/89fc6f760478dc15519cb3ef4e4976425dc6ee10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/9fe5103dc9be472fa0a443ca36619a2953b6f88e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/acc60fc3fe56f5b0ad218c4c5789b21f11bc3a89"
    },
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2014-01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-json/ZF2014-01.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zend-json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zend-JSON vulnerable to XXE/XEE attacks"
}

GHSA-8X79-XCGH-GHVM

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-10T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.",
  "id": "GHSA-8x79-xcgh-ghvm",
  "modified": "2022-05-24T19:10:48Z",
  "published": "2022-05-24T19:10:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38490"
    },
    {
      "type": "WEB",
      "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2021-002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8XGG-2WJC-GWGJ

Vulnerability from github – Published: 2022-10-11 19:00 – Updated: 2022-10-13 19:00
VLAI
Details

Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-11T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.",
  "id": "GHSA-8xgg-2wjc-gwgj",
  "modified": "2022-10-13T19:00:19Z",
  "published": "2022-10-11T19:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34430"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000203345/dsa-2022-260-dell-hybrid-client-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93HF-XXFJ-6GX3

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.",
  "id": "GHSA-93hf-xxfj-6gx3",
  "modified": "2022-05-24T19:14:57Z",
  "published": "2022-05-24T19:14:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31842"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9882-28WJ-G67P

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2024-03-21 03:33
VLAI
Details

An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-23T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.",
  "id": "GHSA-9882-28wj-g67p",
  "modified": "2024-03-21T03:33:54Z",
  "published": "2022-05-24T17:09:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9352"
    },
    {
      "type": "WEB",
      "url": "https://blog.certimetergroup.com/it/articolo/security/smartclient-v12-xml-external-entity--cve-2020-9352"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2020/Feb/18"
    },
    {
      "type": "WEB",
      "url": "https://www-demos.smartclient.com/smartclient-12.0/isomorphic/system/reference/?id=group..toolsDeployment"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F4Q-Q82Q-4359

Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-18 15:21
VLAI
Summary
Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks
Details

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "docling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T15:21:03Z",
    "nvd_published_at": "2026-05-11T17:16:19Z",
    "severity": "HIGH"
  },
  "details": "Docling\u0027s METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.",
  "id": "GHSA-9f4q-q82q-4359",
  "modified": "2026-05-18T15:21:03Z",
  "published": "2026-05-11T18:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31248"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/docling-project/docling"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/CVE-2026-31248-35d1e1393188818585b2ce3b9ce24686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Docling\u0027s METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks"
}

GHSA-9FMG-89FX-R33W

Vulnerability from github – Published: 2022-06-29 22:39 – Updated: 2022-07-11 19:25
VLAI
Summary
Quadratic blowup in Convert::xml2array()
Details

Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T22:39:50Z",
    "nvd_published_at": "2022-06-28T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.",
  "id": "GHSA-9fmg-89fx-r33w",
  "modified": "2022-07-11T19:25:18Z",
  "published": "2022-06-29T22:39:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41559"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2021-41559.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/releases"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/cve-2021-41559"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Quadratic blowup in Convert::xml2array()"
}

GHSA-9FP8-GJQ2-822P

Vulnerability from github – Published: 2023-08-31 15:30 – Updated: 2024-04-04 07:20
VLAI
Details

A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML file.",
  "id": "GHSA-9fp8-gjq2-822p",
  "modified": "2024-04-04T07:20:29Z",
  "published": "2023-08-31T15:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CapgeminiCisRedTeam/Disclosure/blob/f7aafa9fcd4efa30071c7f77d3e9e6b14e92302b/CVE%20PoC/CVE-2023-41635%20%7C%20RealGimm%20-%20XML%20External%20Entity%20Injection.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20-%20XML%20External%20Entity%20Injection.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Mitigation
Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

CAPEC-197: Exponential Data Expansion

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.