Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-8396

Summary
Assigner-TR-CERT
Assigner Org ID-ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At-17 Jul, 2026 | 12:20
Updated At-17 Jul, 2026 | 12:55
Rejected At-
Credits

XXE in Netcad's NetGIS

Improper restriction of XML external entity reference vulnerability in Netcad Software Inc. NetGIS allows Serialized Data External Linking. This issue affects NetGIS: from 5.0.66 before 7.2.2.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:TR-CERT
Assigner Org ID:ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At:17 Jul, 2026 | 12:20
Updated At:17 Jul, 2026 | 12:55
Rejected At:
▼CVE Numbering Authority (CNA)
XXE in Netcad's NetGIS

Improper restriction of XML external entity reference vulnerability in Netcad Software Inc. NetGIS allows Serialized Data External Linking. This issue affects NetGIS: from 5.0.66 before 7.2.2.

Affected Products
Vendor
Netcad Software Inc.
Product
NetGIS
Default Status
unaffected
Versions
Affected
  • From 5.0.66 before 7.2.2 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-611CWE-611 Improper restriction of XML external entity reference
Type: CWE
CWE ID: CWE-611
Description: CWE-611 Improper restriction of XML external entity reference
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-201CAPEC-201 Serialized Data External Linking
CAPEC ID: CAPEC-201
Description: CAPEC-201 Serialized Data External Linking
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0570
government-resource
Hyperlink: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0570
Resource:
government-resource
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:iletisim@usom.gov.tr
Published At:17 Jul, 2026 | 13:19
Updated At:17 Jul, 2026 | 15:00

Improper restriction of XML external entity reference vulnerability in Netcad Software Inc. NetGIS allows Serialized Data External Linking. This issue affects NetGIS: from 5.0.66 before 7.2.2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-611Secondaryiletisim@usom.gov.tr
CWE ID: CWE-611
Type: Secondary
Source: iletisim@usom.gov.tr
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0570iletisim@usom.gov.tr
N/A
Hyperlink: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0570
Source: iletisim@usom.gov.tr
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

142Records found

CVE-2012-1102
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.40% / 69.47%
||
7 Day CHG~0.00%
Published-09 Jul, 2021 | 10:42
Updated-06 Aug, 2024 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected resources, depending on how the library is used.

Action-Not Available
Vendor-xml\n/a
Product-\perl-xml-atom
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-27476
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.98% / 58.41%
||
7 Day CHG~0.00%
Published-07 Mar, 2023 | 23:20
Updated-25 Feb, 2025 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity (XXE) Injection in OWSLib

OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.

Action-Not Available
Vendor-osgeogeopython
Product-owslibOWSLib
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-27527
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-2.5||LOW
EPSS-0.34% / 26.46%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 00:00
Updated-28 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.

Action-Not Available
Vendor-touki-kyoutaku-onlineThe Ministry of Justice
Product-shinseiyo_sogo_softShinseiyo Sogo Soft
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-53675
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.3||HIGH
EPSS-83.94% / 99.66%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 22:01
Updated-12 Dec, 2024 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-insight_remote_supportHPE Insight Remote Supportinsight_remote_support
CWE ID-CWE-91
XML Injection (aka Blind XPath Injection)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-49875
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 41.04%
||
7 Day CHG+0.04%
Published-12 Jun, 2026 | 08:54
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-cxfApache CXFRed Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat JBoss Web Server 5Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-22832
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.41% / 69.63%
||
7 Day CHG~0.00%
Published-10 Feb, 2023 | 07:45
Updated-24 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-5602
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-1.43% / 70.04%
||
7 Day CHG~0.00%
Published-30 Jun, 2020 | 10:20
Updated-04 Aug, 2024 | 08:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier) allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-melsoft_fielddeviceconfiguratorm_commdtm-hartgx_works3melfa-worksmelsoft_iq_appportalgt_designer3gx_logviewermt_works2motion_control_settingcw_configuratormelsec-l_flexible_high-speed_i\/o_control_module_configuration_toolcpu_module_logging_configuration_toolmelsoft_navigatorgx_works2m_commdtm-io-linkmr_configurator2mi_configuratorrt_toolbox2em_configuratorrt_toolbox3Mitsubishi Electoric FA Engineering Software
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-4643
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-2.84% / 85.07%
||
7 Day CHG~0.00%
Published-21 Sep, 2020 | 17:10
Updated-17 Sep, 2024 | 01:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-22624
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.18% / 86.63%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 00:00
Updated-04 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_exchange_reporter_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-22274
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-1.46% / 70.57%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 12:52
Updated-04 Sep, 2024 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZDI-CAN-21305: Adobe RoboHelp Server UpdateCommandStream XML External Entity Processing Information Disclosure Vulnerability

Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.
Product-robohelp_serverwindowsRoboHelprobohelp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2011-3600
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-15.91% / 96.52%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 00:07
Updated-06 Aug, 2024 | 23:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.

Action-Not Available
Vendor-OFBizThe Apache Software Foundation
Product-ofbizOFBiz
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2009-1699
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-29.10% / 97.95%
||
7 Day CHG~0.00%
Published-10 Jun, 2009 | 17:37
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Action-Not Available
Vendor-n/aCanonical Ltd.Apple Inc.openSUSE
Product-ubuntu_linuxiphone_ossafariopensusen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-41066
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.32% / 24.55%
||
7 Day CHG~0.00%
Published-24 Apr, 2026 | 16:45
Updated-27 Apr, 2026 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

Action-Not Available
Vendor-lxmllxml
Product-lxmllxml
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-27858
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-73.83% / 99.42%
||
7 Day CHG~0.00%
Published-20 Jan, 2021 | 19:35
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D 16.5. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getNews method. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11103.

Action-Not Available
Vendor-Arcserve, LLC
Product-d2dD2D
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-40682
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.1||CRITICAL
EPSS-0.52% / 40.36%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 16:55
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor

XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support — external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario. Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-opennlpApache OpenNLPRed Hat build of Apache Camel for Spring Boot 4Red Hat Data Grid 8Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-31497
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.37% / 29.39%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 20:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TEIGarage XML External Entity (XXE) Injection in Document Conversion Service

TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity (XXE) Injection vulnerability in its document conversion functionality. The service processes XML files during the conversion process but fails to disable external entity processing, allowing an attacker to read arbitrary files from the server's filesystem. This vulnerability could allow attackers to read sensitive files from the server's filesystem, potentially exposing configuration files, credentials, or other confidential information. Additionally, depending on the server configuration, this could potentially be used to perform server-side request forgery (SSRF) attacks by making the server connect to internal services. This issue is patched in version 1.2.4. A workaround for this vulnerability includes disabling external entity processing in the XML parser by setting the appropriate security features (e.g., XMLConstants.FEATURE_SECURE_PROCESSING).

Action-Not Available
Vendor-TEIC
Product-TEIGarage
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-48917
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.72% / 49.68%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 19:48
Updated-07 Mar, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XXE in PHPSpreadsheet's XLSX reader

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that `encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheetphpspreadsheet
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-25186
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-1.14% / 62.95%
||
7 Day CHG~0.00%
Published-22 Oct, 2020 | 20:09
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.

Action-Not Available
Vendor-we-conn/a
Product-levistudiouWECON Technology Co., Ltd (WECON) LeviStudioU
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-24454
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.5||HIGH
EPSS-1.18% / 64.09%
||
7 Day CHG~0.00%
Published-12 Nov, 2020 | 18:56
Updated-04 Aug, 2024 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-quartus_primeIntel(R) Quartus(R) Prime Pro Edition and Intel(R) Quartus(R) Prime Standard Edition
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-11700
Matching Score-4
Assigner-N-able
ShareView Details
Matching Score-4
Assigner-N-able
CVSS Score-8.4||HIGH
EPSS-30.70% / 98.04%
||
7 Day CHG-0.93%
Published-12 Nov, 2025 | 15:30
Updated-15 Dec, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
N-central Multiple XXE Injection Vulnerabilities

N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure

Action-Not Available
Vendor-n-ableN-able
Product-n-centralN-central
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-21641
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.30% / 90.05%
||
7 Day CHG~0.00%
Published-15 Aug, 2022 | 19:10
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_analytics_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-2324
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-1.34% / 68.14%
||
7 Day CHG~0.00%
Published-03 Dec, 2020 | 15:55
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-cvsJenkins CVS Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-45071
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.46% / 37.11%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 18:58
Updated-15 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Symfony: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Crawler::addXmlContent() set DOMDocument::$validateOnParse = true before loadXML(), re-enabling external entity resolution and allowing attacker-supplied XML to expand file:// entities such as local files. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.

Action-Not Available
Vendor-sensiolabssymfony
Product-symfonysymfonydom-crawler
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-2012
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-1.93% / 77.76%
||
7 Day CHG~0.00%
Published-13 May, 2020 | 19:07
Updated-17 Sep, 2024 | 04:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PAN-OS: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak

Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system. This issue affects: All versions of PAN-OS for Panorama 7.1 and 8.0; PAN-OS for Panorama 8.1 versions earlier than 8.1.13; PAN-OS for Panorama 9.0 versions earlier than 9.0.7.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-pan-osPAN-OS
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-19954
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.20% / 64.77%
||
7 Day CHG~0.00%
Published-14 Oct, 2021 | 14:17
Updated-04 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.

Action-Not Available
Vendor-s-cmsn/a
Product-s-cmsn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-2775
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-54.61% / 98.90%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:43
Updated-19 Nov, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-08-12||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
SysAid On-Prem <= 23.3.40 Checkin Proceessing XML External Entity Injection

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

Action-Not Available
Vendor-SysAid Technologies Ltd.
Product-sysaidSysAid On-PremSysAid On-Prem
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-17408
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-73.96% / 99.42%
||
7 Day CHG~0.00%
Published-10 Sep, 2020 | 16:35
Updated-04 Aug, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-10801.

Action-Not Available
Vendor-NEC Corporation
Product-expresscluster_xExpressCluster
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-42341
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-35.53% / 98.27%
||
7 Day CHG~0.00%
Published-14 Oct, 2022 | 19:42
Updated-23 Apr, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe ColdFusion Improper Restriction of XML External Entity Reference Arbitrary file system read

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-coldfusionColdFusion
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-39847
Matching Score-4
Assigner-23637b5d-af4c-4cf9-b8f6-deb7fd0f8423
ShareView Details
Matching Score-4
Assigner-23637b5d-af4c-4cf9-b8f6-deb7fd0f8423
CVSS Score-8.7||HIGH
EPSS-0.45% / 36.16%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 07:10
Updated-17 May, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

Action-Not Available
Vendor-4d4D
Product-server4D Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-38374
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.59% / 44.23%
||
7 Day CHG~0.00%
Published-28 Jun, 2024 | 18:01
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

Action-Not Available
Vendor-CycloneDXcyclonedx
Product-cyclonedx-core-javacyclonedx_core_java
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-32285
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.95% / 57.34%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 09:22
Updated-03 Aug, 2024 | 07:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.

Action-Not Available
Vendor-mendixSiemens AG
Product-samlMendix SAML Module (Mendix 8 compatible)Mendix SAML Module (Mendix 7 compatible)Mendix SAML Module (Mendix 9 compatible)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-32458
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.91% / 56.02%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 02:01
Updated-16 Sep, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Data Systems Consulting Co., Ltd. BPM - XML External Entity (XXE) Injection

Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.

Action-Not Available
Vendor-digiwinData Systems Consulting Co., Ltd.
Product-business_process_managementBPM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-31261
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.09% / 61.80%
||
7 Day CHG~0.00%
Published-24 May, 2022 | 14:49
Updated-03 Aug, 2024 | 07:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to.

Action-Not Available
Vendor-morpheusdatan/a
Product-morpheusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-29801
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.96% / 57.68%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 09:47
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.

Action-Not Available
Vendor-Siemens AG
Product-teamcenterTeamcenter V12.4Teamcenter V13.0
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-29265
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.43% / 82.34%
||
7 Day CHG~0.00%
Published-30 Apr, 2022 | 08:05
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity References in Multiple Components

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-38653
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.2||HIGH
EPSS-91.98% / 99.81%
||
7 Day CHG~0.00%
Published-14 Aug, 2024 | 02:38
Updated-15 Aug, 2024 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalancheavalanche
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-15419
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-63.79% / 99.13%
||
7 Day CHG~0.00%
Published-28 Jul, 2020 | 17:10
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10710.

Action-Not Available
Vendor-Veeam Software Group GmbH
Product-one_firmwareoneONE
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-53674
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.3||HIGH
EPSS-47.39% / 98.71%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 21:55
Updated-12 Dec, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-insight_remote_supportHPE Insight Remote Supportinsight_remote_support
CWE ID-CWE-91
XML Injection (aka Blind XPath Injection)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-2414
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-85.32% / 99.69%
||
7 Day CHG~0.00%
Published-29 Jul, 2022 | 18:58
Updated-03 Aug, 2024 | 00:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

Action-Not Available
Vendor-dogtagpkin/a
Product-dogtagpkiDogtag PKI
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-21205
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.5||HIGH
EPSS-1.09% / 61.54%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:04
Updated-05 May, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-quartus_primeIntel(R) Quartus(R) Prime Pro Edition
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-47873
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.76% / 51.13%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 17:03
Updated-07 Mar, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PhpSpreadsheet XmlScanner bypass leads to XXE

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheetphpspreadsheet
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-46985
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.66%
||
7 Day CHG~0.00%
Published-23 Sep, 2024 | 15:12
Updated-27 Sep, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DataEase has an XXE vulnerability

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1.

Action-Not Available
Vendor-DataEase (FIT2CLOUD Inc.)
Product-dataeasedataease
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-1700
Matching Score-4
Assigner-Forcepoint
ShareView Details
Matching Score-4
Assigner-Forcepoint
CVSS Score-7.5||HIGH
EPSS-0.71% / 49.57%
||
7 Day CHG+0.02%
Published-12 Sep, 2022 | 18:07
Updated-03 Aug, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022.

Action-Not Available
Vendor-forcepointForcepoint
Product-data_loss_preventionemail_securityone_endpoint_with_policy_engineweb_security_content_gatewaycloud_security_gatewayCloud Security Gateway One Endpoint (F1E) with Policy EngineEmail Security with DLP enabledWeb Security Content GatewayData Loss Prevention (DLP)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-31447
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.17% / 63.90%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 02:46
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file.

Action-Not Available
Vendor-magicpinn/a
Product-magicpinn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-2374
Matching Score-4
Assigner-WSO2 LLC
ShareView Details
Matching Score-4
Assigner-WSO2 LLC
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.95%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 08:12
Updated-23 Apr, 2026 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

Action-Not Available
Vendor-WSO2 LLC
Product-identity_serveridentity_server_as_key_manageropen_banking_amopen_banking_iamapi_managerWSO2 API ManagerWSO2 Open Banking AMWSO2 Identity ServerWSO2 Open Banking IAMWSO2 Identity Server as Key Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-40510
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.26% / 66.31%
||
7 Day CHG~0.00%
Published-21 Jun, 2022 | 16:10
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.

Action-Not Available
Vendor-obdasystemsn/a
Product-mastron/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-39371
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.52% / 71.80%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 00:03
Updated-04 Aug, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

Action-Not Available
Vendor-osgeon/aDebian GNU/Linux
Product-owslibdebian_linuxpywpsn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-3869
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.6||HIGH
EPSS-1.32% / 67.55%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 12:30
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Action-Not Available
Vendor-stanfordstanfordnlp
Product-corenlpstanfordnlp/corenlp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-39239
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-4.31% / 90.05%
||
7 Day CHG+0.30%
Published-16 Sep, 2021 | 14:40
Updated-04 Aug, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity (XXE) vulnerability

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

Action-Not Available
Vendor-The Apache Software Foundation
Product-jenaApache Jena
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-0188
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-8.46% / 94.40%
||
7 Day CHG~0.00%
Published-28 May, 2019 | 18:10
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

Action-Not Available
Vendor-The Apache Software FoundationOracle Corporation
Product-enterprise_repositorycamelflexcube_private_bankingenterprise_data_qualityenterprise_manager_base_platformApache Camel
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found