Skip to main content

CWE-776

Improper Restriction of Recursive Entity References in DTDs

47 CVEs Avg CVSS 6.9 MITRE
3
CRITICAL
23
HIGH
21
MEDIUM
0
LOW
14
POC
0
KEV

Monthly

CVE-2026-12993 MEDIUM This Month

CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. No active exploitation (CISA KEV) or confirmed public exploit code has been identified at time of analysis; EPSS data was not provided in the input.

Information Disclosure Build Of Apicurio Registry
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-45771 HIGH PATCH This Week

Denial of service in FreeSWITCH versions prior to 1.11.0 allows unauthenticated remote attackers to exhaust CPU and memory by sending a single SIP PUBLISH request whose PIDF body contains a malicious DTD with nested entity declarations. The bundled XML parser expands these entities before any digest authentication check, making this a pre-auth resource exhaustion vector (CWE-776, classic 'billion laughs'). No public exploit identified at time of analysis, but the CVSS 7.5 availability-only impact reflects a high-confidence DoS condition against any exposed FreeSWITCH instance.

Information Disclosure Freeswitch
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44020 PyPI HIGH PATCH GHSA This Week

XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.

Denial Of Service XXE SSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45304 PHP HIGH PATCH GHSA This Week

Uncontrolled memory consumption in the Symfony Yaml component lets remote attackers trigger a "Billion Laughs" denial-of-service by supplying crafted YAML in which collection aliases recursively reference other alias-bearing collections, expanding a tiny input into a multi-gigabyte structure that exhausts process memory. Affected versions include symfony/yaml and symfony/symfony < 5.4.52, 6.x < 6.4.40, and 7.x < 7.4.12 (with an 8.0.12 release also published). No public exploit identified at time of analysis and EPSS is low (0.08%), but the flaw is trivially reachable by any application parsing untrusted YAML with the affected component.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-23822 MEDIUM This Month

A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system. NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x

Information Disclosure Arubaos Aos
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-31248 PyPI HIGH GHSA This Week

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

XXE Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40260 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.

Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-33036 npm HIGH PATCH This Week

A bypass vulnerability in fast-xml-parser allows attackers to circumvent entity expansion limits through numeric character references (&#NNN;) and standard XML entities, causing denial of service via excessive memory allocation and CPU consumption. The vulnerability affects fast-xml-parser versions 5.x through 5.5.5, completely bypassing security controls added in the previous CVE-2026-26278 fix. A proof-of-concept demonstrates that even with strict limits configured (maxTotalExpansions=10), an attacker can inject 100,000+ numeric entities to consume hundreds of megabytes of memory.

Denial Of Service Node.js Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29074 npm HIGH POC PATCH This Week

Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.

Node.js Denial Of Service Svgo
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27807 MEDIUM This Month

Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).

XXE Denial Of Service Markus
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM This Month

CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. No active exploitation (CISA KEV) or confirmed public exploit code has been identified at time of analysis; EPSS data was not provided in the input.

Information Disclosure Build Of Apicurio Registry
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in FreeSWITCH versions prior to 1.11.0 allows unauthenticated remote attackers to exhaust CPU and memory by sending a single SIP PUBLISH request whose PIDF body contains a malicious DTD with nested entity declarations. The bundled XML parser expands these entities before any digest authentication check, making this a pre-auth resource exhaustion vector (CWE-776, classic 'billion laughs'). No public exploit identified at time of analysis, but the CVSS 7.5 availability-only impact reflects a high-confidence DoS condition against any exposed FreeSWITCH instance.

Information Disclosure Freeswitch
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.

Denial Of Service XXE SSRF
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Uncontrolled memory consumption in the Symfony Yaml component lets remote attackers trigger a "Billion Laughs" denial-of-service by supplying crafted YAML in which collection aliases recursively reference other alias-bearing collections, expanding a tiny input into a multi-gigabyte structure that exhausts process memory. Affected versions include symfony/yaml and symfony/symfony < 5.4.52, 6.x < 6.4.40, and 7.x < 7.4.12 (with an 8.0.12 release also published). No public exploit identified at time of analysis and EPSS is low (0.08%), but the flaw is trivially reachable by any application parsing untrusted YAML with the affected component.

Java Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system. NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x

Information Disclosure Arubaos Aos
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

XXE Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.

Information Disclosure Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A bypass vulnerability in fast-xml-parser allows attackers to circumvent entity expansion limits through numeric character references (&#NNN;) and standard XML entities, causing denial of service via excessive memory allocation and CPU consumption. The vulnerability affects fast-xml-parser versions 5.x through 5.5.5, completely bypassing security controls added in the previous CVE-2026-26278 fix. A proof-of-concept demonstrates that even with strict limits configured (maxTotalExpansions=10), an attacker can inject 100,000+ numeric entities to consume hundreds of megabytes of memory.

Denial Of Service Node.js Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.

Node.js Denial Of Service Svgo
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).

XXE Denial Of Service Markus
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy