Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-3HMG-CM34-VRF6

Vulnerability from github – Published: 2023-11-17 15:30 – Updated: 2023-11-17 15:30
VLAI
Details

Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-17T13:15:08Z",
    "severity": "HIGH"
  },
  "details": "Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-3hmg-cm34-vrf6",
  "modified": "2023-11-17T15:30:26Z",
  "published": "2023-11-17T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22274"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/robohelp-server/apsb23-53.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3HQ4-5QPG-7776

Vulnerability from github – Published: 2023-02-22 00:30 – Updated: 2023-03-03 15:30
VLAI
Details

VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-22T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.",
  "id": "GHSA-3hq4-5qpg-7776",
  "modified": "2023-03-03T15:30:24Z",
  "published": "2023-02-22T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20855"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2023-0005.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3HRC-F439-727G

Vulnerability from github – Published: 2018-10-16 23:08 – Updated: 2022-11-17 18:38
VLAI
Summary
Apache Camel XML External Entity vulnerability
Details

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.0"
            },
            {
              "fixed": "2.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-0263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:55:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.",
  "id": "GHSA-3hrc-f439-727g",
  "modified": "2022-11-17T18:38:58Z",
  "published": "2018-10-16T23:08:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/06db9e0744f2bb9f6e3bf16c0dfe7099a3481558"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/367d53e73c8b5a1e73c24423e631709f9a96e08d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/7d19340bcdb42f7aae584d9c5003ac4f7ddaee36"
    },
    {
      "type": "WEB",
      "url": "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc"
    },
    {
      "type": "WEB",
      "url": "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-3hrc-f439-727g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/camel"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/CAMEL-8312"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1041.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1538.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1539.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1032442"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Camel XML External Entity vulnerability"
}

GHSA-3J9C-CP7M-8W8G

Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2025-03-13 17:48
VLAI
Summary
Jenkins has XML External Entity (XXE) Vulnerability in Job Configuration via CLI
Details

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.626"
            },
            {
              "fixed": "1.638"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.625.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-5319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-13T17:48:30Z",
    "nvd_published_at": "2015-11-25T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an \"XML-aware tool,\" as demonstrated by get-job and update-job.",
  "id": "GHSA-3j9c-cp7m-8w8g",
  "modified": "2025-03-13T17:48:30Z",
  "published": "2022-05-13T01:30:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5319"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/e78e9e8144f7304cf274cd4b756f458cf63a3556"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:0070"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jenkins has XML External Entity (XXE) Vulnerability in Job Configuration via CLI"
}

GHSA-3JW3-99X8-H6XC

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-22T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.",
  "id": "GHSA-3jw3-99x8-h6xc",
  "modified": "2022-05-24T17:48:09Z",
  "published": "2022-05-24T17:48:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27736"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FusionAuth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FusionAuth/fusionauth-samlv2/compare/0.5.3...0.5.4"
    },
    {
      "type": "WEB",
      "url": "https://www.compass-security.com/fileadmin/Research/Advisories/2021-03_CSNC-2021-004_FusionAuth_SAML_Library_XML_External_Entity.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3M9X-2QFJ-XVQ4

Vulnerability from github – Published: 2024-11-07 17:28 – Updated: 2024-11-07 17:28
VLAI
Summary
PHPExcel XXE Vulnerability
Details

PHPExcel XXE Vulnerability

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-3542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T17:28:59Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "PHPExcel XXE Vulnerability",
  "id": "GHSA-3m9x-2qfj-xvq4",
  "modified": "2024-11-07T17:28:59Z",
  "published": "2024-11-07T17:28:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PHPExcel/commit/0ab614fd952f82f9b7a9280731daa2300e6b000c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpexcel/CVE-2015-3542.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PHPExcel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PHPExcel XXE Vulnerability"
}

GHSA-3MJP-86XG-FF9V

Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-08 00:00
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 and 11.6.600 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-30T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 and 11.6.600 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn\u0027t usually have access to via a carefully constructed XML file, which the DLP Agent doesn\u0027t parse correctly.",
  "id": "GHSA-3mjp-86xg-ff9v",
  "modified": "2022-09-08T00:00:39Z",
  "published": "2022-08-31T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2330"
    },
    {
      "type": "WEB",
      "url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10386"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MJQ-GR7R-H6X3

Vulnerability from github – Published: 2024-11-18 21:30 – Updated: 2025-10-20 18:30
VLAI
Details

An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50848"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T21:15:06Z",
    "severity": "MODERATE"
  },
  "details": "An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file.",
  "id": "GHSA-3mjq-gr7r-h6x3",
  "modified": "2025-10-20T18:30:29Z",
  "published": "2024-11-18T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50848"
    },
    {
      "type": "WEB",
      "url": "https://github.com/1mhr4b/CVE-2024-50848"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Wh1teSnak3/CVE-2024-50848"
    },
    {
      "type": "WEB",
      "url": "https://www.trados.com/product/worldserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MMX-QQMQ-RM69

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-26T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.",
  "id": "GHSA-3mmx-qqmq-rm69",
  "modified": "2022-05-24T17:40:18Z",
  "published": "2022-05-24T17:40:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4949"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192025"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6408244"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3MWF-3W9J-82VF

Vulnerability from github – Published: 2026-06-09 21:32 – Updated: 2026-06-09 21:32
VLAI
Details

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T21:17:24Z",
    "severity": "HIGH"
  },
  "details": "ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.",
  "id": "GHSA-3mwf-3w9j-82vf",
  "modified": "2026-06-09T21:32:39Z",
  "published": "2026-06-09T21:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47960"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-64.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.