Common Weakness Enumeration

CWE-91

Allowed-with-Review

XML Injection (aka Blind XPath Injection)

Abstraction: Base · Status: Draft

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

190 vulnerabilities reference this CWE, most recent first.

GHSA-P746-QW73-QMMX

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2025-11-06 23:42
VLAI
Summary
Magento XML Injection vulnerability in the Widgets Module
Details

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/project-community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.7-p1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.3.7"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.2-p1"
            },
            {
              "fixed": "2.4.2-p2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-06T23:42:40Z",
    "nvd_published_at": "2021-09-01T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.",
  "id": "GHSA-p746-qw73-qmmx",
  "modified": "2025-11-06T23:42:40Z",
  "published": "2022-05-24T19:12:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36033"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Magento XML Injection vulnerability in the Widgets Module"
}

GHSA-P9WF-3XPG-C9G5

Vulnerability from github – Published: 2021-09-02 17:11 – Updated: 2024-10-24 21:53
VLAI
Summary
XML External Entity Injection in PyWPS
Details

An XML external entity (XXE) injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pywps"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39371"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-25T19:48:42Z",
    "nvd_published_at": "2021-08-23T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML external entity (XXE) injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.",
  "id": "GHSA-p9wf-3xpg-c9g5",
  "modified": "2024-10-24T21:53:22Z",
  "published": "2021-09-02T17:11:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39371"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopython/OWSLib/issues/790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopython/pywps/pull/616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopython/pywps/commit/7d6b26a2e931df2feca0b7fb24f4d01610825aee"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p9wf-3xpg-c9g5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geopython/pywps"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pywps/PYSEC-2021-121.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XML External Entity Injection in PyWPS"
}

GHSA-PFG4-R8VJ-QQM4

Vulnerability from github – Published: 2025-03-18 18:30 – Updated: 2025-03-19 21:30
VLAI
Details

An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-18T16:15:27Z",
    "severity": "MODERATE"
  },
  "details": "An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file.",
  "id": "GHSA-pfg4-r8vj-qqm4",
  "modified": "2025-03-19T21:30:52Z",
  "published": "2025-03-18T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25589"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/r1bbit/yimioa/issues/IBI81R"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJ98-2XF6-CFF5

Vulnerability from github – Published: 2023-09-20 15:30 – Updated: 2024-04-28 06:31
VLAI
Summary
ReportLab vulnerable to remote code execution via paraparser
Details

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "reportlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-19450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T16:57:08Z",
    "nvd_published_at": "2023-09-20T14:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with \u0027\u003cunichar code=\"\u0027 followed by arbitrary Python code, a similar issue to CVE-2019-17626.",
  "id": "GHSA-pj98-2xf6-cff5",
  "modified": "2024-04-28T06:31:24Z",
  "published": "2023-09-20T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md#release-353115102019"
    },
    {
      "type": "PACKAGE",
      "url": "https://hg.reportlab.com/hg-public/reportlab"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/5MicRrr4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ReportLab vulnerable to remote code execution via paraparser"
}

GHSA-PQQ2-XHG5-JR2V

Vulnerability from github – Published: 2025-12-05 00:31 – Updated: 2025-12-10 18:30
VLAI
Details

An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-04T22:15:48Z",
    "severity": "HIGH"
  },
  "details": "An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.",
  "id": "GHSA-pqq2-xhg5-jr2v",
  "modified": "2025-12-10T18:30:22Z",
  "published": "2025-12-05T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1545"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q8C5-P3CQ-8MH2

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:36
VLAI
Details

ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation and execution via report print function of rexpert viewer with modified XML document. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-30T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation and execution via report print function of rexpert viewer with modified XML document. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.",
  "id": "GHSA-q8c5-p3cq-8mh2",
  "modified": "2024-04-04T02:36:36Z",
  "published": "2022-05-24T17:00:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17323"
    },
    {
      "type": "WEB",
      "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8R6-5HFW-5JFF

Vulnerability from github – Published: 2026-06-11 13:05 – Updated: 2026-07-15 21:58
VLAI
Summary
guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator
Details

Impact

guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator ]]>. The XML request serializer writes values containing <, >, or & with XMLWriter::writeCData($value). If attacker-controlled input contains ]]>, the CDATA section closes early and the remainder is interpreted as XML markup. This is an outgoing request-body integrity issue, not a response parsing issue. The attacker does not need to control the service description or schema.

Users are affected when all of the following are true:

  1. The application uses guzzlehttp/guzzle-services to serialize outgoing requests.
  2. A request parameter or additionalParameters schema uses location: xml.
  3. The value is serialized as XML element text, not an XML attribute.
  4. The value can contain attacker-controlled, user-controlled, tenant-controlled, or otherwise untrusted input.
  5. The value is not constrained by a safe enum, pattern, or custom filter that excludes ]]>.
  6. The downstream service parses the generated XML structurally and may act on unexpected, duplicated, or injected elements.

Applications that serialize untrusted input into location: xml request parameters can emit XML containing attacker-controlled elements outside the intended text node. Depending on the receiving service, this can alter operation semantics, smuggle privileged fields, bypass modeled parameter boundaries, or create conflicting duplicated elements. Fixed service descriptions are sufficient if they contain an XML element parameter populated from attacker-controlled input.

Users are not directly affected if they only use Guzzle Services to deserialize HTTP response bodies. Response XML parsing uses the response XML location visitor and does not invoke the vulnerable request XML serializer. Response bodies matter only in a second-order flow, such as parsing attacker-controlled response XML, storing or forwarding a parsed string value, and later using it as a location: xml request parameter.

Example fixed service description:

'DisplayName' => ['location' => 'xml', 'type' => 'string']

If an attacker-controlled display name is:

Alice]]></DisplayName><Role>admin</Role><DisplayName><![CDATA[

the vulnerable serializer can emit an injected element outside the intended DisplayName text node:

<Request><DisplayName><![CDATA[Alice]]></DisplayName><Role>admin</Role><DisplayName><![CDATA[]]></DisplayName></Request>

If the downstream service treats <Role> as meaningful, the attacker has set a field the modeled DisplayName parameter was not intended to set.

Patches

The issue is patched in 1.5.4 and later by safely splitting embedded CDATA terminators before serialization. The fix preserves the original scalar value as XML text and prevents injected nodes.

Workarounds

If you cannot upgrade immediately, constrain attacker-controlled XML element values with a strict enum, pattern, or custom filter that excludes ]]>, or avoid serializing untrusted data into location: xml element text until patched. Where appropriate for the service schema, XML attributes are not affected because they are written with XMLWriter attribute APIs rather than CDATA sections.

To determine whether action is needed, search service descriptions for request parameters using location: xml, including operation parameters and additionalParameters. Response-only models are not directly affected unless parsed values are reused for request serialization. For object and array parameters, review nested scalar properties because leaf element values can still be affected.

References

  • https://www.w3.org/TR/xml/#sec-cdata-sect
  • https://www.php.net/manual/en/xmlwriter.writecdata.php
  • https://www.php.net/manual/en/xmlwriter.text.php
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "guzzlehttp/guzzle-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T13:05:01Z",
    "nvd_published_at": "2026-06-11T14:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`guzzlehttp/guzzle-services` does not safely serialize scalar XML element values containing the CDATA terminator `]]\u003e`. The XML request serializer writes values containing `\u003c`, `\u003e`, or `\u0026` with `XMLWriter::writeCData($value)`. If attacker-controlled input contains `]]\u003e`, the CDATA section closes early and the remainder is interpreted as XML markup. This is an outgoing request-body integrity issue, not a response parsing issue. The attacker does not need to control the service description or schema.\n\nUsers are affected when all of the following are true:\n\n1. The application uses `guzzlehttp/guzzle-services` to serialize outgoing requests.\n2. A request parameter or `additionalParameters` schema uses `location: xml`.\n3. The value is serialized as XML element text, not an XML attribute.\n4. The value can contain attacker-controlled, user-controlled, tenant-controlled, or otherwise untrusted input.\n5. The value is not constrained by a safe `enum`, `pattern`, or custom filter that excludes `]]\u003e`.\n6. The downstream service parses the generated XML structurally and may act on unexpected, duplicated, or injected elements.\n\nApplications that serialize untrusted input into `location: xml` request parameters can emit XML containing attacker-controlled elements outside the intended text node. Depending on the receiving service, this can alter operation semantics, smuggle privileged fields, bypass modeled parameter boundaries, or create conflicting duplicated elements. Fixed service descriptions are sufficient if they contain an XML element parameter populated from attacker-controlled input.\n\nUsers are not directly affected if they only use Guzzle Services to deserialize HTTP response bodies. Response XML parsing uses the response XML location visitor and does not invoke the vulnerable request XML serializer. Response bodies matter only in a second-order flow, such as parsing attacker-controlled response XML, storing or forwarding a parsed string value, and later using it as a `location: xml` request parameter.\n\nExample fixed service description:\n\n```php\n\u0027DisplayName\u0027 =\u003e [\u0027location\u0027 =\u003e \u0027xml\u0027, \u0027type\u0027 =\u003e \u0027string\u0027]\n```\n\nIf an attacker-controlled display name is:\n\n```text\nAlice]]\u003e\u003c/DisplayName\u003e\u003cRole\u003eadmin\u003c/Role\u003e\u003cDisplayName\u003e\u003c![CDATA[\n```\n\nthe vulnerable serializer can emit an injected element outside the intended `DisplayName` text node:\n\n```xml\n\u003cRequest\u003e\u003cDisplayName\u003e\u003c![CDATA[Alice]]\u003e\u003c/DisplayName\u003e\u003cRole\u003eadmin\u003c/Role\u003e\u003cDisplayName\u003e\u003c![CDATA[]]\u003e\u003c/DisplayName\u003e\u003c/Request\u003e\n```\n\nIf the downstream service treats `\u003cRole\u003e` as meaningful, the attacker has set a field the modeled `DisplayName` parameter was not intended to set.\n\n### Patches\n\nThe issue is patched in `1.5.4` and later by safely splitting embedded CDATA terminators before serialization. The fix preserves the original scalar value as XML text and prevents injected nodes.\n\n### Workarounds\n\nIf you cannot upgrade immediately, constrain attacker-controlled XML element values with a strict `enum`, `pattern`, or custom filter that excludes `]]\u003e`, or avoid serializing untrusted data into `location: xml` element text until patched. Where appropriate for the service schema, XML attributes are not affected because they are written with XMLWriter attribute APIs rather than CDATA sections.\n\nTo determine whether action is needed, search service descriptions for request parameters using `location: xml`, including operation `parameters` and `additionalParameters`. Response-only `models` are not directly affected unless parsed values are reused for request serialization. For object and array parameters, review nested scalar properties because leaf element values can still be affected.\n\n### References\n\n- https://www.w3.org/TR/xml/#sec-cdata-sect\n- https://www.php.net/manual/en/xmlwriter.writecdata.php\n- https://www.php.net/manual/en/xmlwriter.text.php",
  "id": "GHSA-q8r6-5hfw-5jff",
  "modified": "2026-07-15T21:58:16Z",
  "published": "2026-06-11T13:05:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/guzzle-services/security/advisories/GHSA-q8r6-5hfw-5jff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53723"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle-services/CVE-2026-53723.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/guzzle/guzzle-services"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "guzzlehttp/guzzle-services\u0027 XML Request Serialization Vulnerable to XML Injection via CDATA Terminator"
}

GHSA-QPG2-VX7J-3869

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2024-10-26 22:32
VLAI
Summary
XML Injection in ReportLab
Details

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "reportlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-17626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-27T16:52:31Z",
    "nvd_published_at": "2019-10-16T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with \u0027\u003cspan color=\"\u0027 followed by arbitrary Python code.",
  "id": "GHSA-qpg2-vx7j-3869",
  "modified": "2024-10-26T22:32:16Z",
  "published": "2022-05-24T22:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17626"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4663"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20191016111823/https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4273-1"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240719-0006"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202007-35"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/reportlab/PYSEC-2019-117.yaml"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-qpg2-vx7j-3869"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MrBitBucket/reportlab-mirror"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2019-17626"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0230"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0201"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0197"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0195"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XML Injection in ReportLab"
}

GHSA-QXQF-2MFX-X8JW

Vulnerability from github – Published: 2024-05-20 14:57 – Updated: 2026-05-14 20:45
VLAI
Summary
veraPDF has potential XSLT injection vulnerability when using policy files
Details

Impact

Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.

Patches

This has been patched and users should upgrade to veraPDF v1.24.2

Workarounds

This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.

References

Original issue: https://github.com/veraPDF/veraPDF-library/issues/1415

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:core-jakarta"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:core-arlington"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.127"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:verapdf-library-arlington"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.127"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:verapdf-library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:verapdf-library-jakarta"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:library-arlington"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.127"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.verapdf:library-jakarta"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-20T14:57:07Z",
    "nvd_published_at": "2024-03-28T14:15:13Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nExecuting policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.\n\n### Patches\n\nThis has been patched and users should upgrade to veraPDF v1.24.2\n\n### Workarounds\n\nThis doesn\u0027t affect the standard validation and policy checks functionality, veraPDF\u0027s common use cases. Most veraPDF users don\u0027t insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.\n\n### References\n\nOriginal issue: \u003chttps://github.com/veraPDF/veraPDF-library/issues/1415\u003e",
  "id": "GHSA-qxqf-2mfx-x8jw",
  "modified": "2026-05-14T20:45:29Z",
  "published": "2024-05-20T14:57:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28109"
    },
    {
      "type": "WEB",
      "url": "https://github.com/veraPDF/veraPDF-library/issues/1415"
    },
    {
      "type": "WEB",
      "url": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/veraPDF/veraPDF-library"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "veraPDF has potential XSLT injection vulnerability when using policy files"
}

GHSA-R2R5-8RMR-3PXJ

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47
VLAI
Details

An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (writing outside a memory region created by mmap).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31347"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-16T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (writing outside a memory region created by mmap).",
  "id": "GHSA-r2r5-8rmr-3pxj",
  "modified": "2022-05-24T17:47:45Z",
  "published": "2022-05-24T17:47:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31347"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/ezxml/bugs/27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

CAPEC-83: XPath Injection

An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.