CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-2VXP-RQ9R-5V72
Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-28 00:03IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190839.
{
"affected": [],
"aliases": [
"CVE-2020-4876"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-21T18:15:00Z",
"severity": "HIGH"
},
"details": "IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190839.",
"id": "GHSA-2vxp-rq9r-5v72",
"modified": "2022-01-28T00:03:26Z",
"published": "2022-01-22T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4876"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190839"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6509856"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2W2M-CCF8-57CQ
Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2022-12-16 17:26REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control which repo binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
REPO Plugin 1.16.0 disables external entity resolution for its XML parser.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:repo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43415"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-19T20:26:57Z",
"nvd_published_at": "2022-10-19T16:15:00Z",
"severity": "HIGH"
},
"details": "REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control which `repo` binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nREPO Plugin 1.16.0 disables external entity resolution for its XML parser.",
"id": "GHSA-2w2m-ccf8-57cq",
"modified": "2022-12-16T17:26:11Z",
"published": "2022-10-19T19:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43415"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/repo-plugin/commit/4c4a72c7de3d3e5bbbad223605ea264dcec56bc1"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/repo-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2337"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins REPO Plugin"
}
GHSA-2X65-FPCH-2FCM
Vulnerability from github – Published: 2024-12-02 17:14 – Updated: 2024-12-12 22:19Summary
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
$options is defined as: https://github.com/simplesamlphp/xml-common/blob/v1.19.0/src/DOMDocumentFactory.php#L39 including the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.
While there is the NONET option, an attacker can simply bypass if by using PHP filters: php://filter/convert.base64-encode/resource=http://URL OR FILE
From there an attacker can induce network connections and steal the targeted file OOB (haven't fully tested this).
RCE may be possible with the php://expect or php://phar wrappers, but this hasn't been tested.
Note: The mitigation here: https://github.com/simplesamlphp/xml-common/blob/v1.19.0/src/DOMDocumentFactory.php#L58 Comes too late, as the XML has already been loaded into a document. Mitigation:
Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options. Additionally, as a defense in depth measure, check if there is the string: <!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: <! DOCTYPE)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1.20"
},
"package": {
"ecosystem": "Packagist",
"name": "simplesamlphp/xml-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52596"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-02T17:14:30Z",
"nvd_published_at": "2024-12-02T17:15:12Z",
"severity": "HIGH"
},
"details": "Summary\n\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it\u0027s possible to induce an XXE.\n\n$options is defined as: https://github.com/simplesamlphp/xml-common/blob/v1.19.0/src/DOMDocumentFactory.php#L39\nincluding the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.\n\nWhile there is the NONET option, an attacker can simply bypass if by using PHP filters:\nphp://filter/convert.base64-encode/resource=http://URL OR FILE\n\nFrom there an attacker can induce network connections and steal the targeted file OOB (haven\u0027t fully tested this).\n\nRCE may be possible with the php://expect or php://phar wrappers, but this hasn\u0027t been tested.\n\nNote:\nThe mitigation here:\nhttps://github.com/simplesamlphp/xml-common/blob/v1.19.0/src/DOMDocumentFactory.php#L58\nComes too late, as the XML has already been loaded into a document.\nMitigation:\n\nRemove the LIBXML_DTDLOAD | LIBXML_DTDATTR options.\nAdditionally, as a defense in depth measure, check if there is the string: \u003c!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: \u003c! DOCTYPE)",
"id": "GHSA-2x65-fpch-2fcm",
"modified": "2024-12-12T22:19:57Z",
"published": "2024-12-02T17:14:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52596"
},
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/simplesamlphp/xml-common"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SimpleSAMLphp xml-common XXE vulnerability"
}
GHSA-2X9X-24QC-MMQV
Vulnerability from github – Published: 2024-03-14 18:30 – Updated: 2024-03-14 18:30Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
{
"affected": [],
"aliases": [
"CVE-2023-50168"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T16:15:49Z",
"severity": "HIGH"
},
"details": "Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.",
"id": "GHSA-2x9x-24qc-mmqv",
"modified": "2024-03-14T18:30:30Z",
"published": "2024-03-14T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50168"
},
{
"type": "WEB",
"url": "https://support.pega.com/support-doc/pega-security-advisory-a24-vulnerability-remediation-note"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2XG5-8FRJ-H6PM
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 21:31Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2025-44044"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T16:15:40Z",
"severity": "HIGH"
},
"details": "Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system.",
"id": "GHSA-2xg5-8frj-h6pm",
"modified": "2025-06-10T21:31:22Z",
"published": "2025-06-10T18:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-44044"
},
{
"type": "WEB",
"url": "https://keyoti.com/products/search/dotNetWeb/HtmlHelp9/?topic=UserGuide/Release%20Notes.htm"
},
{
"type": "WEB",
"url": "https://www.sprocketsecurity.com/blog/cve-alert-cve-2025-44043-cve-2025-44044-the-search-bar-hacks-arent-dead-yet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-325X-VGX6-JR39
Vulnerability from github – Published: 2022-05-25 00:00 – Updated: 2022-06-10 00:00VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-22977"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-24T19:15:00Z",
"severity": "HIGH"
},
"details": "VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.",
"id": "GHSA-325x-vgx6-jr39",
"modified": "2022-06-10T00:00:56Z",
"published": "2022-05-25T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22977"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2022-0015.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-32FW-H446-J4HH
Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-23 15:32Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.
{
"affected": [],
"aliases": [
"CVE-2026-56701"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-23T13:16:46Z",
"severity": "HIGH"
},
"details": "Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.",
"id": "GHSA-32fw-h446-j4hh",
"modified": "2026-06-23T15:32:37Z",
"published": "2026-06-23T15:32:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56701"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/grav-xml-external-entity-injection-via-svg-upload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-32R8-54HF-C9P3
Vulnerability from github – Published: 2024-12-09 21:31 – Updated: 2024-12-10 19:18unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "unstructured"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-46455"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-09T22:40:50Z",
"nvd_published_at": "2024-12-09T21:15:08Z",
"severity": "MODERATE"
},
"details": "unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.",
"id": "GHSA-32r8-54hf-c9p3",
"modified": "2024-12-10T19:18:15Z",
"published": "2024-12-09T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46455"
},
{
"type": "WEB",
"url": "https://github.com/Unstructured-IO/unstructured/pull/3088"
},
{
"type": "WEB",
"url": "https://github.com/Unstructured-IO/unstructured/commit/171b5df09fc3346aba8ce91c04de5b3e094a86bd"
},
{
"type": "WEB",
"url": "https://binarysouljour.me/cve-2024-46455"
},
{
"type": "PACKAGE",
"url": "https://github.com/Unstructured-IO/unstructured"
},
{
"type": "WEB",
"url": "https://www.tenable.com/cve/CVE-2024-46455"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "unstructured XML External Entity (XXE)"
}
GHSA-333M-4M49-38WM
Vulnerability from github – Published: 2023-04-25 15:30 – Updated: 2024-04-04 03:40An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.
{
"affected": [],
"aliases": [
"CVE-2023-26057"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-25T13:15:09Z",
"severity": "MODERATE"
},
"details": "An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.",
"id": "GHSA-333m-4m49-38wm",
"modified": "2024-04-04T03:40:29Z",
"published": "2023-04-25T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26057"
},
{
"type": "WEB",
"url": "https://nokia.com"
},
{
"type": "WEB",
"url": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-339X-WFPH-G72P
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-02-03 15:31IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 159129.
{
"affected": [],
"aliases": [
"CVE-2019-4208"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-07T19:29:00Z",
"severity": "HIGH"
},
"details": "IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 159129.",
"id": "GHSA-339x-wfph-g72p",
"modified": "2023-02-03T15:31:17Z",
"published": "2022-05-24T16:45:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4208"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/159129"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10880263"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.