Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2016-15011

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-06 Jan, 2023 | 09:46
Updated At-06 Aug, 2024 | 03:47
Rejected At-
Credits

e-Contract dssp SignResponseVerifier.java checkSignResponse xml external entity reference

A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 is able to address this issue. The identifier of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–ĽCommon Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:06 Jan, 2023 | 09:46
Updated At:06 Aug, 2024 | 03:47
Rejected At:
â–ĽCVE Numbering Authority (CNA)
e-Contract dssp SignResponseVerifier.java checkSignResponse xml external entity reference

A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 is able to address this issue. The identifier of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability.

Affected Products
Vendor
e-Contract
Product
dssp
Versions
Affected
  • 1.3.0
  • 1.3.1
Problem Types
TypeCWE IDDescription
CWECWE-611CWE-611 XML External Entity Reference
Type: CWE
CWE ID: CWE-611
Description: CWE-611 XML External Entity Reference
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
3.05.5MEDIUM
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
2.04.9N/A
AV:A/AC:M/Au:S/C:P/I:P/A:P
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Version: 3.0
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Version: 2.0
Base score: 4.9
Base severity: N/A
Vector:
AV:A/AC:M/Au:S/C:P/I:P/A:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

tool
VulDB GitHub Commit Analyzer
Timeline
EventDate
Advisory disclosed2023-01-06 00:00:00
CVE reserved2023-01-06 00:00:00
VulDB entry created2023-01-06 01:00:00
VulDB entry last update2023-01-29 09:57:26
Event: Advisory disclosed
Date: 2023-01-06 00:00:00
Event: CVE reserved
Date: 2023-01-06 00:00:00
Event: VulDB entry created
Date: 2023-01-06 01:00:00
Event: VulDB entry last update
Date: 2023-01-29 09:57:26
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/?id.217549
vdb-entry
technical-description
https://vuldb.com/?ctiid.217549
signature
permissions-required
https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302
patch
https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2
patch
Hyperlink: https://vuldb.com/?id.217549
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.217549
Resource:
signature
permissions-required
Hyperlink: https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302
Resource:
patch
Hyperlink: https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2
Resource:
patch
â–ĽAuthorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/?id.217549
vdb-entry
technical-description
x_transferred
https://vuldb.com/?ctiid.217549
signature
permissions-required
x_transferred
https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302
patch
x_transferred
https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2
patch
x_transferred
Hyperlink: https://vuldb.com/?id.217549
Resource:
vdb-entry
technical-description
x_transferred
Hyperlink: https://vuldb.com/?ctiid.217549
Resource:
signature
permissions-required
x_transferred
Hyperlink: https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302
Resource:
patch
x_transferred
Hyperlink: https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2
Resource:
patch
x_transferred
Information is not available yet
â–ĽNational Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:06 Jan, 2023 | 10:15
Updated At:17 May, 2024 | 01:08

A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 is able to address this issue. The identifier of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.15.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Secondary2.04.9MEDIUM
AV:A/AC:M/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 4.9
Base severity: MEDIUM
Vector:
AV:A/AC:M/Au:S/C:P/I:P/A:P
CPE Matches

e-contract
e-contract
>>dssp>>Versions before 1.3.2(exclusive)
cpe:2.3:a:e-contract:dssp:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarycna@vuldb.com
CWE ID: CWE-611
Type: Primary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302cna@vuldb.com
Patch
Third Party Advisory
https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2cna@vuldb.com
Release Notes
Third Party Advisory
https://vuldb.com/?ctiid.217549cna@vuldb.com
Permissions Required
Third Party Advisory
https://vuldb.com/?id.217549cna@vuldb.com
Permissions Required
Third Party Advisory
Hyperlink: https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302
Source: cna@vuldb.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2
Source: cna@vuldb.com
Resource:
Release Notes
Third Party Advisory
Hyperlink: https://vuldb.com/?ctiid.217549
Source: cna@vuldb.com
Resource:
Permissions Required
Third Party Advisory
Hyperlink: https://vuldb.com/?id.217549
Source: cna@vuldb.com
Resource:
Permissions Required
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

142Records found

CVE-2014-125087
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-1.23% / 65.32%
||
7 Day CHG~0.00%
Published-19 Feb, 2023 | 16:31
Updated-13 Feb, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
java-xmlbuilder xml external entity reference

A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.

Action-Not Available
Vendor-java-xmlbuilder_projectn/a
Product-java-xmlbuilderjava-xmlbuilder
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-11035
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 30.31%
||
7 Day CHG~0.00%
Published-26 Sep, 2025 | 18:32
Updated-08 Oct, 2025 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA text xml external entity reference

A vulnerability was determined in Jinher OA 2.0. The impacted element is an unknown function of the file /c6/Jhsoft.Web.module/ToolBar/ManageWord.aspx/?text=GetUrl&style=1. This manipulation causes xml external entity reference. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-10816
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.51%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 21:32
Updated-03 Oct, 2025 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA XML text xml external entity reference

A security flaw has been discovered in Jinher OA 2.0. This affects an unknown part of the file /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx/?text=GetUrl&style=add of the component XML Handler. Performing manipulation results in xml external entity reference. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2013-4334
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.36% / 68.25%
||
7 Day CHG~0.00%
Published-07 Feb, 2020 | 13:53
Updated-06 Aug, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities

Action-Not Available
Vendor-tejimayaopWebAPIPlugin
Product-opwebapipluginopWebAPIPlugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-54988
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-8.4||HIGH
EPSS-2.96% / 85.55%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 20:08
Updated-26 Feb, 2026 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tikaApache Tika PDF parser module
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-42307
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.52% / 40.15%
||
7 Day CHG~0.00%
Published-03 Oct, 2022 | 14:48
Updated-03 Aug, 2024 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.

Action-Not Available
Vendor-n/aVeritas Technologies LLC
Product-netbackupn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-18705
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.77% / 84.54%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 17:56
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.

Action-Not Available
Vendor-quokka_projectn/a
Product-quokkan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-3980
Matching Score-4
Assigner-Sophos Limited
ShareView Details
Matching Score-4
Assigner-Sophos Limited
CVSS Score-9.8||CRITICAL
EPSS-8.09% / 94.12%
||
7 Day CHG~0.00%
Published-16 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.

Action-Not Available
Vendor-Sophos Ltd.
Product-mobileSophos Mobile managed on-premises
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-10799
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 70.12%
||
7 Day CHG~0.00%
Published-20 Mar, 2020 | 22:40
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.

Action-Not Available
Vendor-svglib_projectn/a
Product-svglibn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-10992
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.25% / 65.86%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 23:42
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java.

Action-Not Available
Vendor-azkaban_projectn/a
Product-azkabann/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-10683
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.27% / 93.60%
||
7 Day CHG~0.00%
Published-01 May, 2020 | 18:55
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Action-Not Available
Vendor-dom4j_projectn/aNetApp, Inc.Canonical Ltd.Oracle CorporationopenSUSE
Product-communications_diameter_signaling_routerubuntu_linuxbanking_platformendeca_information_discovery_integratoragile_plmhealth_sciences_empirica_signalsnapcentercommunications_application_session_controllerinsurance_policy_administration_j2eeretail_order_brokerfinancial_services_analytical_applications_infrastructureretail_price_managementdom4jcommunications_unified_inventory_managementdocumakerapplication_testing_suitefusion_middlewareretail_customer_management_and_segmentation_foundationbusiness_process_management_suiteleapinsurance_rules_paletteoncommand_api_servicesrapid_planningretail_integration_busoncommand_workflow_automationenterprise_data_qualityutilities_frameworkstoragetek_tape_analytics_sw_toolprimavera_p6_enterprise_project_portfolio_managementhealth_sciences_information_managersnapmanagerflexcube_core_bankingjdeveloperretail_xstore_point_of_servicesnap_creator_frameworkenterprise_manager_base_platformwebcenter_portaldata_integratorn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-2777
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-79.13% / 99.55%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:53
Updated-26 Feb, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SysAid On-Prem <= 23.3.40 lshw Proceessing XML External Entity Injection

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.

Action-Not Available
Vendor-SysAid Technologies Ltd.
Product-sysaidSysAid On-Prem
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-7824
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.14%
||
7 Day CHG~0.00%
Published-19 Jul, 2025 | 13:02
Updated-26 Aug, 2025 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA XmlHttp.aspx xml external entity reference

A vulnerability was found in Jinher OA 1.1. It has been rated as problematic. This issue affects some unknown processing of the file XmlHttp.aspx. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-28890
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-2.47% / 82.56%
||
7 Day CHG+0.15%
Published-05 May, 2022 | 08:40
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Processing external DTDs

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

Action-Not Available
Vendor-The Apache Software Foundation
Product-jenaApache Jena
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-28219
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-97.01% / 99.88%
||
7 Day CHG~0.00%
Published-05 Apr, 2022 | 18:32
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adaudit_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-7523
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.57% / 43.17%
||
7 Day CHG~0.00%
Published-13 Jul, 2025 | 07:02
Updated-26 Aug, 2025 | 12:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA DelTemp.aspx xml external entity reference

A vulnerability was found in Jinher OA 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-66516
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-8.4||HIGH
EPSS-79.81% / 99.56%
||
7 Day CHG~0.00%
Published-04 Dec, 2025 | 16:17
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tikaApache Tika parsersApache Tika coreApache Tika PDF parser module
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-23640
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 70.09%
||
7 Day CHG+0.03%
Published-02 Mar, 2022 | 19:50
Updated-23 Apr, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in Excel-Streaming-Reader

Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.

Action-Not Available
Vendor-excel_streaming_reader_projectmonitorjbl
Product-excel_streaming_readerexcel-streaming-reader
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVE-2022-24449
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.88% / 76.87%
||
7 Day CHG~0.00%
Published-28 Apr, 2022 | 20:06
Updated-03 Aug, 2024 | 04:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

Action-Not Available
Vendor-rt-solarn/a
Product-solar_appscreenern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-45024
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.29% / 66.80%
||
7 Day CHG~0.00%
Published-17 Jun, 2022 | 11:57
Updated-05 Jul, 2026 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).

Action-Not Available
Vendor-rocketsoftwaren/a
Product-ags-zenan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-24340
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.01% / 58.91%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 14:35
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-23170
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-5.9||MEDIUM
EPSS-0.60% / 44.23%
||
7 Day CHG~0.00%
Published-24 Jun, 2022 | 15:00
Updated-16 Sep, 2024 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SysAid - Okta SSO integration

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Action-Not Available
Vendor-SysAid Technologies Ltd.
Product-okta_ssoSysAid - Okta SSO integration
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-49875
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 38.29%
||
7 Day CHG+0.12%
Published-12 Jun, 2026 | 08:54
Updated-30 Jun, 2026 | 03:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.
Product-cxfApache CXFRed Hat JBoss Web Server 5Red Hat Single Sign-On 7Red Hat build of Apache Camel 4 for Quarkus 3Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel for Spring Boot 4Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-13990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-16.20% / 96.55%
||
7 Day CHG-0.43%
Published-26 Jul, 2019 | 00:00
Updated-15 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Action-Not Available
Vendor-softwareagn/aAtlassianNetApp, Inc.The Apache Software FoundationOracle Corporation
Product-flexcube_investor_servicingprimavera_unifierquartzretail_central_officegoogle_guava_mapviewerjd_edwards_enterpriseone_orchestratorretail_back_officeterracotta_quartz_scheduler_mapviewercommunications_ip_service_activatorcommunications_session_route_manageractive_iq_unified_managerflexcube_private_bankingretail_integration_busretail_returns_managementapache_batik_mapviewerbanking_enterprise_product_manufacturingjira_service_managementretail_point-of-servicebanking_enterprise_originationsbanking_paymentsretail_order_brokertomeeretail_xstore_point_of_servicecustomer_management_and_segmentation_foundationfusion_middleware_mapviewercloud_secure_agentdocumakerwebcenter_siteshyperion_infrastructure_technologyenterprise_manager_ops_centerenterprise_manager_base_platformn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-52252
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.11% / 61.86%
||
7 Day CHG~0.00%
Published-30 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.

Action-Not Available
Vendor-unifiedremoten/a
Product-unified_remoten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-3486
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.8||HIGH
EPSS-0.47% / 37.60%
||
7 Day CHG~0.00%
Published-15 May, 2024 | 16:46
Updated-21 Jan, 2025 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity injection vulnerability in iManager

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to information disclosure and remote code execution.

Action-Not Available
Vendor-Micro Focus International LimitedOpen Text Corporation
Product-imanageriManagerimanager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-2131
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-8.5||HIGH
EPSS-0.75% / 50.34%
||
7 Day CHG+0.02%
Published-25 Jul, 2022 | 14:20
Updated-17 Sep, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenKM XXE Injection

OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack.

Action-Not Available
Vendor-openkmOpenKM
Product-openkmOpenKM Document Management Community
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-11341
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.49% / 38.50%
||
7 Day CHG+0.01%
Published-06 Oct, 2025 | 17:02
Updated-16 Jan, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA type xml external entity reference

A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-11140
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.57% / 43.24%
||
7 Day CHG~0.00%
Published-29 Sep, 2025 | 04:02
Updated-03 Oct, 2025 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bjskzy Zhiyou ERP com.artery.richclient.RichClientService openForm xml external entity reference

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-zhiyou-groupBjskzy
Product-zhiyou_erpZhiyou ERP
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-1704
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.6||HIGH
EPSS-0.82% / 52.65%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 15:25
Updated-16 Apr, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inductive Automation Ignition

Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.

Action-Not Available
Vendor-inductiveautomationInductive Automation
Product-ignitionIgnition
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-1700
Matching Score-4
Assigner-Forcepoint
ShareView Details
Matching Score-4
Assigner-Forcepoint
CVSS Score-7.5||HIGH
EPSS-0.70% / 48.60%
||
7 Day CHG~0.00%
Published-12 Sep, 2022 | 18:07
Updated-03 Aug, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022.

Action-Not Available
Vendor-forcepointForcepoint
Product-data_loss_preventionemail_securityone_endpoint_with_policy_engineweb_security_content_gatewaycloud_security_gatewayCloud Security Gateway One Endpoint (F1E) with Policy EngineEmail Security with DLP enabledWeb Security Content GatewayData Loss Prevention (DLP)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-10092
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.51%
||
7 Day CHG~0.00%
Published-08 Sep, 2025 | 11:32
Updated-09 Oct, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA XML Type xml external entity reference

A vulnerability was found in Jinher OA up to 1.2. This impacts an unknown function of the file /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add of the component XML Handler. The manipulation results in xml external entity reference. The attack can be executed remotely. The exploit has been made public and could be used.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-21082
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-0.81% / 52.36%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 21:26
Updated-26 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-bi_publisherBI Publisher (formerly XML Publisher)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-0228
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-9.45% / 94.83%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 14:07
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Action-Not Available
Vendor-n/aThe Apache Software FoundationFedora ProjectOracle Corporation
Product-banking_trade_finance_process_managementpeoplesoft_enterprise_peopletoolsbanking_supply_chain_financepdfboxcommunications_messaging_serverhyperion_financial_reportingfedoraretail_xstore_point_of_servicejamesbanking_corporate_lending_process_managementcommunications_session_report_managerwebcenter_sitesbanking_credit_facilities_process_managementbanking_virtual_account_managementApache PDFBox
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-10991
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.25% / 65.86%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 23:42
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java

Action-Not Available
Vendor-mulesoftn/a
Product-aplkitn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-55081
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.81% / 52.36%
||
7 Day CHG~0.00%
Published-19 Dec, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-55875
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.90% / 77.20%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 18:56
Updated-09 Jun, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
http4k has a potential XXE (XML External Entity Injection) vulnerability

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=""`, `ACCESS_EXTERNAL_SCHEMA=""`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.

Action-Not Available
Vendor-http4k
Product-http4k
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-54445
Matching Score-4
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-4
Assigner-Samsung TV & Appliance
CVSS Score-8.2||HIGH
EPSS-9.22% / 94.73%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:31
Updated-15 Aug, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-49656
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 53.49%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 13:45
Updated-13 Feb, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-matlabJenkins MATLAB Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-49733
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.29% / 66.76%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 11:29
Updated-13 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Cocoon's StreamGenerator is vulnerable to XXE injection

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-cocoonApache Cocoon
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-48362
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.75% / 50.57%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 07:45
Updated-13 Feb, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Drill: XXE Vulnerability in XML Format Reader

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

Action-Not Available
Vendor-apache_software_foundationThe Apache Software Foundation
Product-drillApache Drillapache_drill
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0839
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.3||HIGH
EPSS-2.92% / 85.35%
||
7 Day CHG~0.00%
Published-04 Mar, 2022 | 14:25
Updated-03 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in liquibase/liquibase

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

Action-Not Available
Vendor-liquibaseliquibaseOracle Corporation
Product-sqlclliquibaseliquibase/liquibase
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-45612
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-8.6||HIGH
EPSS-0.60% / 44.11%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:20
Updated-19 Sep, 2024 | 13:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE

Action-Not Available
Vendor-JetBrains s.r.o.
Product-ktorKtorktor
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-46502
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.72% / 49.43%
||
7 Day CHG~0.00%
Published-30 Oct, 2023 | 00:00
Updated-09 Sep, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.

Action-Not Available
Vendor-opencrxn/a
Product-opencrxn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-46265
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-4.00% / 89.29%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 15:43
Updated-17 Sep, 2024 | 02:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-25082
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.78% / 51.29%
||
7 Day CHG~0.00%
Published-21 Mar, 2023 | 18:00
Updated-26 Feb, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zwczou WeChat SDK Python to_xml xml external entity reference

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The patch is named e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.

Action-Not Available
Vendor-wechat_sdk_python_projectzwczou
Product-wechat_sdk_pythonWeChat SDK Python
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-25142
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.37% / 29.13%
||
7 Day CHG~0.00%
Published-24 Dec, 2025 | 19:27
Updated-29 Dec, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NovaRad NovaPACS Diagnostics Viewer 8.5 XML External Entity Injection

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.

Action-Not Available
Vendor-NovaRad Corporation
Product-NovaPACS Diagnostics Viewer
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-26999
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.39% / 68.91%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 00:00
Updated-05 Jul, 2026 | 01:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file.

Action-Not Available
Vendor-netscoutn/a
Product-ngeniusonen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-36419
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-1.73% / 74.86%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 17:08
Updated-11 Feb, 2026 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_hdinsightAzure HDInsight
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20687
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.53% / 82.97%
||
7 Day CHG~0.00%
Published-18 Nov, 2019 | 18:12
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Action-Not Available
Vendor-raritann/a
Product-commandcenter_secure_gatewayn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found