CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-PJ6P-9P8X-5MFC
Vulnerability from github – Published: 2026-05-08 06:32 – Updated: 2026-05-14 13:05Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencms:opencms-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42346"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T13:05:03Z",
"nvd_published_at": "2026-05-08T05:16:09Z",
"severity": "HIGH"
},
"details": "Alkacon OpenCms before 16 allows XXE when the \u003c!DOCTYPE\u003e refers to an external host.",
"id": "GHSA-pj6p-9p8x-5mfc",
"modified": "2026-05-14T13:05:03Z",
"published": "2026-05-08T06:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42346"
},
{
"type": "PACKAGE",
"url": "https://github.com/alkacon/opencms-core"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Alkacon OpenCms is vulnerable to XXE when the \u003c!DOCTYPE\u003e refers to an external host"
}
GHSA-PJ74-PF28-5QJW
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2025-10-22 00:31mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-9670"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-29T22:29:00Z",
"severity": "CRITICAL"
},
"details": "mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.",
"id": "GHSA-pj74-pf28-5qjw",
"modified": "2025-10-22T00:31:41Z",
"published": "2022-05-24T16:46:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9670"
},
{
"type": "WEB",
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=109129"
},
{
"type": "WEB",
"url": "https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9670"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46693"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html"
},
{
"type": "WEB",
"url": "http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJCH-4G28-FXX7
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-24 20:58The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.twelvemonkeys.imageio:imageio-metadata"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23792"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T20:58:43Z",
"nvd_published_at": "2022-05-06T20:15:00Z",
"severity": "CRITICAL"
},
"details": "The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.",
"id": "GHSA-pjch-4g28-fxx7",
"modified": "2022-05-24T20:58:43Z",
"published": "2022-05-07T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23792"
},
{
"type": "WEB",
"url": "https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80"
},
{
"type": "PACKAGE",
"url": "https://github.com/haraldk/TwelveMonkeys"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "External Entity Reference in TwelveMonkeys ImageIO"
}
GHSA-PJMC-XJQ4-H7JM
Vulnerability from github – Published: 2022-05-17 02:47 – Updated: 2022-05-17 02:47WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.
{
"affected": [],
"aliases": [
"CVE-2017-8056"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-22T22:59:00Z",
"severity": "MODERATE"
},
"details": "WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.",
"id": "GHSA-pjmc-xjq4-h7jm",
"modified": "2022-05-17T02:47:51Z",
"published": "2022-05-17T02:47:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8056"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt"
},
{
"type": "WEB",
"url": "https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia"
},
{
"type": "WEB",
"url": "https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html"
},
{
"type": "WEB",
"url": "http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000KlBSAU"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PJP4-RRP6-VQR7
Vulnerability from github – Published: 2022-05-17 03:35 – Updated: 2022-05-17 03:35IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [],
"aliases": [
"CVE-2016-3033"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-01T11:59:00Z",
"severity": "HIGH"
},
"details": "IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-pjp4-rrp6-vqr7",
"modified": "2022-05-17T03:35:31Z",
"published": "2022-05-17T03:35:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3033"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21987326"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92388"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMQQ-7WFV-JFFF
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2023-09-26 11:39The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.poi:poi-examples"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-5000"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:53:05Z",
"nvd_published_at": "2016-08-05T14:59:00Z",
"severity": "MODERATE"
},
"details": "The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-pmqq-7wfv-jfff",
"modified": "2023-09-26T11:39:10Z",
"published": "2022-05-13T01:14:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5000"
},
{
"type": "WEB",
"url": "https://lists.apache.org/list.html?user@poi.apache.org"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache POI\u0027s XLSX2CSV Example XML External Entity (XXE) Vulnerability"
}
GHSA-PP2F-3WRG-GX2G
Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.
{
"affected": [],
"aliases": [
"CVE-2017-1192"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-10T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.",
"id": "GHSA-pp2f-3wrg-gx2g",
"modified": "2022-05-14T03:47:11Z",
"published": "2022-05-14T03:47:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1192"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/123663"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22004267"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102864"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PP98-436H-9QGG
Vulnerability from github – Published: 2023-04-26 21:30 – Updated: 2024-04-04 03:42HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2023-28008"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-26T20:15:10Z",
"severity": "HIGH"
},
"details": "HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.\n",
"id": "GHSA-pp98-436h-9qgg",
"modified": "2024-04-04T03:42:17Z",
"published": "2023-04-26T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28008"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0104371"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PPV9-V43C-XQPP
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2023-10-27 16:08Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:pom2config"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43576"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T16:42:36Z",
"nvd_published_at": "2021-11-12T11:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-ppv9-v43c-xqpp",
"modified": "2023-10-27T16:08:37Z",
"published": "2022-05-24T19:20:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43576"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/pom2config-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2415"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1314"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/12/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins pom2config Plugin"
}
GHSA-PQG2-Q88Q-5H4P
Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2025-10-22 00:31BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
{
"affected": [],
"aliases": [
"CVE-2016-9563"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-11-23T02:59:00Z",
"severity": "MODERATE"
},
"details": "BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.",
"id": "GHSA-pqg2-q88q-5h4p",
"modified": "2025-10-22T00:31:17Z",
"published": "2022-04-30T00:02:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9563"
},
{
"type": "WEB",
"url": "https://erpscan.io/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2296909"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-9563"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.