Skip to main content

CWE-611

Improper Restriction of XML External Entity Reference

981 CVEs Avg CVSS 7.5 MITRE
234
CRITICAL
443
HIGH
286
MEDIUM
15
LOW
224
POC
8
KEV

Monthly

CVE-2026-48359 CRITICAL Act Now

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.

RCE XXE Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts +1
NVD VulDB
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-54470 MEDIUM PATCH This Month

Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.

XXE Dell Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57259 MEDIUM This Month

XXE injection in Foxit PDF Editor and Foxit PDF Reader exposes any local file readable by the victim user when they open a maliciously crafted document disguised as a PDF. The parser processes documents that are not structurally valid PDFs, resolving attacker-controlled external XML entities that reference local filesystem paths via file:// or similar protocols, enabling out-of-band exfiltration of sensitive local files. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is gated by user interaction (UI:R), limiting opportunistic mass exploitation.

XXE Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54640 Maven HIGH PATCH GHSA This Week

Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.

XXE SSRF Java Apache
NVD GitHub
CVSS 3.1
7.6
CVE-2026-47898 MEDIUM PATCH This Month

XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the well-understood XXE attack class combined with the availability of a fix version makes patching straightforward and strongly advisable.

XXE Apache Lucene Net
NVD
CVSS 4.0
4.0
EPSS
0.1%
CVE-2026-13449 CRITICAL Act Now

XML external entity (XXE) injection in IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 lets a remote, unauthenticated attacker submit crafted XML to the application's XML parser to read sensitive files or exhaust memory. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) but has no public exploit identified at time of analysis, and EPSS is low at 0.39% (31st percentile). Reported by IBM PSIRT with a vendor advisory published (IBM support node 7278532).

XXE IBM Business Automation Manager
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-12975 HIGH This Week

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. CVSS is 8.5 (scope-changed, high availability impact); no public exploit identified at time of analysis.

XXE SSRF Denial Of Service Red Hat Build Of Apicurio Registry 3
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-56701 PHP HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure Grav
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-12788 LOW POC Monitor

XML External Entity (XXE) injection in zhilink ADP Application Developer Platform 1.0.0 enables authenticated remote attackers to manipulate the XML parser at the /adpweb/a/base/barcodeDetail/import endpoint, potentially exposing local files or facilitating server-side request forgery against internal infrastructure. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege exploitation with a publicly disclosed proof-of-concept published on Feishu. The vendor did not respond to pre-disclosure contact, leaving no official patch available at time of analysis.

XXE Adp Application Developer Platform
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-48981 MEDIUM PATCH This Month

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. No public exploit identified at time of analysis, but the scope change (S:C in CVSS) reflects that exploitation occurs inside processes running with elevated privileges, amplifying the potential impact of any upstream compromise that enables config tampering.

XXE Pam Usb
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
EPSS 1% CVSS 9.6
CRITICAL Act Now

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.

RCE XXE Adobe +3
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.

XXE Dell Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

XXE injection in Foxit PDF Editor and Foxit PDF Reader exposes any local file readable by the victim user when they open a maliciously crafted document disguised as a PDF. The parser processes documents that are not structurally valid PDFs, resolving attacker-controlled external XML entities that reference local filesystem paths via file:// or similar protocols, enabling out-of-band exfiltration of sensitive local files. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is gated by user interaction (UI:R), limiting opportunistic mass exploitation.

XXE Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 7.6
HIGH PATCH This Week

Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.

XXE SSRF Java +1
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the well-understood XXE attack class combined with the availability of a fix version makes patching straightforward and strongly advisable.

XXE Apache Lucene Net
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

XML external entity (XXE) injection in IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 lets a remote, unauthenticated attacker submit crafted XML to the application's XML parser to read sensitive files or exhaust memory. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) but has no public exploit identified at time of analysis, and EPSS is low at 0.39% (31st percentile). Reported by IBM PSIRT with a vendor advisory published (IBM support node 7278532).

XXE IBM Business Automation Manager
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. CVSS is 8.5 (scope-changed, high availability impact); no public exploit identified at time of analysis.

XXE SSRF Denial Of Service +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

XML External Entity (XXE) injection in zhilink ADP Application Developer Platform 1.0.0 enables authenticated remote attackers to manipulate the XML parser at the /adpweb/a/base/barcodeDetail/import endpoint, potentially exposing local files or facilitating server-side request forgery against internal infrastructure. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege exploitation with a publicly disclosed proof-of-concept published on Feishu. The vendor did not respond to pre-disclosure contact, leaving no official patch available at time of analysis.

XXE Adp Application Developer Platform
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. No public exploit identified at time of analysis, but the scope change (S:C in CVSS) reflects that exploitation occurs inside processes running with elevated privileges, amplifying the potential impact of any upstream compromise that enables config tampering.

XXE Pam Usb
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy