Skip to main content

XXE

1231 CVEs technique

Monthly

CVE-2026-48359 CRITICAL Act Now

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.

RCE XXE Adobe Adobe Experience Manager As A Cloud Service Adobe Experience Manager 6 5 Lts +1
NVD
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-54470 MEDIUM PATCH This Month

Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.

XXE Dell Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57259 MEDIUM This Month

XXE injection in Foxit PDF Editor and Foxit PDF Reader exposes any local file readable by the victim user when they open a maliciously crafted document disguised as a PDF. The parser processes documents that are not structurally valid PDFs, resolving attacker-controlled external XML entities that reference local filesystem paths via file:// or similar protocols, enabling out-of-band exfiltration of sensitive local files. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is gated by user interaction (UI:R), limiting opportunistic mass exploitation.

XXE Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54640 Maven HIGH PATCH GHSA This Week

Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.

XXE SSRF Java Apache
NVD GitHub
CVSS 3.1
7.6
CVE-2026-47898 MEDIUM PATCH This Month

XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the well-understood XXE attack class combined with the availability of a fix version makes patching straightforward and strongly advisable.

XXE Apache Lucene Net
NVD
CVSS 4.0
4.0
EPSS
0.1%
CVE-2026-13449 CRITICAL Act Now

XML external entity (XXE) injection in IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 lets a remote, unauthenticated attacker submit crafted XML to the application's XML parser to read sensitive files or exhaust memory. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) but has no public exploit identified at time of analysis, and EPSS is low at 0.39% (31st percentile). Reported by IBM PSIRT with a vendor advisory published (IBM support node 7278532).

XXE IBM Business Automation Manager
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-12975 HIGH This Week

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. CVSS is 8.5 (scope-changed, high availability impact); no public exploit identified at time of analysis.

XXE SSRF Denial Of Service Red Hat Build Of Apicurio Registry 3
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57234 Ruby LOW PATCH Monitor

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.

XXE SSRF Nokogiri
NVD GitHub VulDB
CVSS 3.1
2.6
EPSS
0.2%
CVE-2026-57303 HIGH This Week

XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. Exploitation requires the attacker to influence what the Assembla endpoint returns, so it is a targeted rather than mass-exploitable condition.

XXE SSRF Jenkins Jenkins Assembla Plugin
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56701 PHP HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure Grav
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-12788 LOW POC Monitor

XML External Entity (XXE) injection in zhilink ADP Application Developer Platform 1.0.0 enables authenticated remote attackers to manipulate the XML parser at the /adpweb/a/base/barcodeDetail/import endpoint, potentially exposing local files or facilitating server-side request forgery against internal infrastructure. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege exploitation with a publicly disclosed proof-of-concept published on Feishu. The vendor did not respond to pre-disclosure contact, leaving no official patch available at time of analysis.

XXE Adp Application Developer Platform
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-48981 MEDIUM PATCH This Month

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. No public exploit identified at time of analysis, but the scope change (S:C in CVSS) reflects that exploitation occurs inside processes running with elevated privileges, amplifying the potential impact of any upstream compromise that enables config tampering.

XXE Pam Usb
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-55471 Maven HIGH PATCH GHSA This Week

XML External Entity injection in the HAPI FHIR core library (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities, versions <= 6.9.9) lets an attacker who controls or MITMs XML routed through XsltUtilities.saxonTransform(...) read local files and perform blind XXE/SSRF. The three saxonTransform overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl that resolves external general and parameter entities, unlike the co-located transform() siblings that use the project's hardened XXE-protected factory. Publicly available exploit code exists (a full end-to-end PoC accompanies the GitHub advisory), though there is no public exploit identified as actively used in the wild.

Apache Java XXE SSRF
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-49875 CRITICAL PATCH Act Now

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to trigger out-of-band external entity resolution via the EndpointReferenceUtils and W3CMultiSchemaFactory classes, which instantiate SAXParserFactory without JAXP hardening. While CVSS scores this 9.8 critical, EPSS reports only 0.02% exploitation probability, and there is no public exploit identified at time of analysis. Successful exploitation could enable data exfiltration, SSRF, or denial-of-service against applications that process attacker-controlled XML through CXF web services.

Apache XXE Cxf
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-40998 HIGH PATCH This Week

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath evaluation over StreamSource and SAXSource inputs because the underlying parser falls back to the JDK's default DocumentBuilderFactory rather than Spring's hardened configuration. Affected versions span the 3.1.x, 4.0.x, 4.1.x and 5.0.x release lines, and while no public exploit was identified at time of analysis, the CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates that any service that feeds untrusted XML through this template can be reached by unauthenticated remote attackers. The flaw was reported by VMware/Spring and is tracked in the official Spring security advisory.

Java XXE Spring Web Services
NVD VulDB HeroDevs
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-40991 MEDIUM PATCH This Month

XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. No confirmed active exploitation exists (not in CISA KEV), and no public exploit has been identified at time of analysis; however, the High confidentiality impact against developer and CI environments warrants prompt patching.

XXE Java
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-47960 HIGH This Week

Arbitrary file read in Adobe ColdFusion 2023.19, 2025.8 and earlier allows remote unauthenticated attackers to exfiltrate sensitive files from the host filesystem via a malicious XML document that a victim opens through the application. The scope-changed CVSS 7.4 reflects that exploitation can impact resources beyond ColdFusion's own security context, though success hinges on user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XXE Coldfusion
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-8045 HIGH CISA This Week

Server-side file disclosure in Schneider Electric EcoStruxure IT Data Center Expert v9.1.1 and prior allows authenticated users to read arbitrary files on the underlying host by submitting crafted XML payloads to SOAP service endpoints. The flaw stems from improper restriction of XML External Entity references (CWE-611) in the SOAP API. No public exploit identified at time of analysis, but CISA SSVC marks the issue as automatable with partial technical impact.

XXE Information Disclosure Ecostruxure It Data Center Expert
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-44020 PyPI HIGH PATCH GHSA This Week

XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.

Denial Of Service XXE SSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44018 PyPI HIGH PATCH GHSA This Week

Local file disclosure and denial of service in the Docling document-conversion library (Python pip package, versions 2.45.0 up to 2.91.0) stem from its METS-GBS backend parsing XML and extracting archives without security controls. A maliciously crafted METS-GBS archive processed by Docling can trigger XML External Entity (XXE) resolution to read sensitive local files, or use decompression/zip bombs and unbounded tar extraction to exhaust memory and disk. EPSS is very low (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis; exploitation requires a victim application to process attacker-supplied input.

Denial Of Service XXE
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-49383 LOW PATCH Monitor

XXE injection in IntelliJ IDEA's UI Designer form parser exposes local file contents to disclosure when a developer opens a maliciously crafted `.form` file in any version prior to 2026.1. The vulnerability arises because the XML parser fails to restrict external entity references (CWE-611), enabling an attacker-supplied document to read arbitrary local files accessible to the IDE process. No public exploit or CISA KEV listing exists at time of analysis; the low CVSS score of 3.3 reflects the local attack vector and requirement for user interaction, limiting real-world impact compared to network-exploitable XXE.

XXE Intellij Idea
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-45071 PHP HIGH PATCH GHSA This Week

XML External Entity (XXE) local file disclosure in Symfony's DomCrawler component allows remote attackers to read arbitrary server-side files when an application parses attacker-controlled XML via Crawler::addXmlContent(). The method explicitly set DOMDocument::$validateOnParse = true, which re-enabled libxml DTD subset processing and external entity resolution; because LIBXML_NONET only blocks network fetches and not file:// entities, an entity such as SYSTEM "file:///etc/passwd" is expanded and its contents exposed. EPSS is very low (0.05%, 17th percentile) and there is no public exploit identified at time of analysis, though the vendor commit ships a demonstrative test case.

XXE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-2253 HIGH PATCH This Week

External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).

XXE Pentaho Data Integration And Analytics
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-3603 HIGH PATCH This Week

XML External Entity (XXE) injection in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows authenticated attackers to disclose sensitive information or exhaust memory resources by submitting crafted XML data to the application. The flaw carries a CVSS 7.1 (High) rating with low attack complexity over the network, but EPSS is only 0.02% (5th percentile) and there is no public exploit identified at time of analysis. SSVC classifies exploitation as 'none' with partial technical impact, indicating low immediate urgency despite the vendor-released patch.

XXE IBM Engineering Lifecycle Management
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44618 Maven PATCH This Week

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Apache XXE Apache Cxf
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-46722 PHP MEDIUM PATCH This Month

XML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_search) allows a high-privileged authenticated attacker to cause the server to disclose local file contents or perform outbound HTTP requests (SSRF), with retrieved data written to the search index. Exploitation requires placing a crafted XLSX or PPTX document into a directory processed by the indexer. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XXE Extension Faceted Search
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-39053 MEDIUM This Month

XML External Entity (XXE) injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to disclose local files or perform Server-Side Request Forgery (SSRF) attacks via malicious XML input to unsafe XStream parsing entry points (PamirsXmlUtils.fromXML, ViewXmlUtils.fromXML). The vulnerability has network attack vector with low complexity (CVSS:3.1 AV:N/AC:L/PR:N) and is automatable per SSVC framework, though no active exploitation or public POC has been confirmed at time of analysis. EPSS data not available; CISA KEV status: not listed.

XXE SSRF
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-20224 HIGH NEWS This Week

Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances.

XXE Cisco Cisco Catalyst Sd Wan Manager
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-44445 MEDIUM PATCH This Month

XML External Entity (XXE) injection in ERPNext's EDI Module allows authenticated low-privilege attackers to read arbitrary files from the server's local filesystem, including sensitive configuration files that may contain database credentials or API keys. Affected are all ERPNext installations on the v15 branch prior to 15.104.3 and on the v16 branch prior to 16.12.0 (cpe:2.3:a:frappe:erpnext:*). No public exploit identified at time of analysis, EPSS exploitation probability sits at 0.06% (18th percentile), and CISA SSVC assesses exploitation as none and the attack as non-automatable - collectively placing this at lower operational priority despite its network-accessible attack vector.

XXE Erpnext
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-31247 PyPI HIGH GHSA This Week

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload (XML Bomb). When processed by Docling, the exponential expansion of entities leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

XXE Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31248 PyPI HIGH GHSA This Week

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

XXE Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44665 npm MEDIUM PATCH GHSA This Month

Attribute injection in fast-xml-builder npm package allows attackers to inject malicious HTML/XML attributes when processEntities flag is disabled. Affected versions through 1.1.6 fail to properly sanitize quote characters in attribute values, enabling injection of arbitrary attributes like onClick handlers for cross-site scripting attacks. Patch available in version 1.1.7. EPSS and KEV data not available for this vulnerability, suggesting limited observed exploitation targeting this specific library, though the attack technique is well-understood.

XXE Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2023-42346 Maven HIGH PATCH GHSA This Week

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2023-42344 Maven HIGH POC PATCH GHSA This Week

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE
NVD VulDB GitHub
CVSS 3.1
7.3
EPSS
1.3%
CVE-2026-41936 HIGH PATCH This Week

XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.

XXE Privilege Escalation PHP
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-38429 CRITICAL Act Now

XML External Entity injection in OpenCMS (versions through v20) allows remote unauthenticated attackers to achieve information disclosure, server-side request forgery, or arbitrary code execution via malicious .zip files uploaded to the Admin Import DB feature. The vulnerability stems from unsafe XML parsing of manifest.xml files within these archives. Despite a maximum CVSS 9.8 score, the real-world risk is limited by the administrative-only attack surface - exploitation requires access to privileged admin import functionality. No active exploitation confirmed (not in CISA KEV), and EPSS score of 0.03% (7th percentile) indicates minimal observed threat activity. Upstream fix available via GitHub commit e3e41e5a, though a tagged release version has not been independently verified.

XXE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-41895 PyPI HIGH PATCH GHSA This Week

XML External Entity (XXE) injection in changedetection.io version 0.54.9 and earlier allows local file disclosure when processing attacker-controlled XML or RSS feeds. The xpath_filter() function in html_tools.py creates an lxml parser without disabling external entity resolution, enabling attackers to embed DOCTYPE declarations that read sensitive files from the host system. Extracted content appears in watch output, diff history, and notification channels. No vendor-released patch identified at time of analysis. CVSS 8.2 reflects high confidentiality impact with attack complexity high due to specific runtime parser behavior requirements.

XXE
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-40682 Maven CRITICAL PATCH GHSA Act Now

XML External Entity injection in Apache OpenNLP's DictionaryEntryPersistor allows remote unauthenticated attackers to disclose local files or perform server-side request forgery when processing untrusted dictionary files. The vulnerable SAX parser initialization omits critical security features (FEATURE_SECURE_PROCESSING, DTD disablement) present elsewhere in the codebase, creating an inconsistency exploitable via the public Dictionary(InputStream) API when loading stop-word lists or domain dictionaries. With EPSS at 0.03% (8th percentile) and no active exploitation reported, this represents a code-quality issue in a specific input path rather than an imminent widespread threat, though the CVSS 9.1 reflects maximum theoretical impact given the network-accessible, unauthenticated attack vector.

XXE SSRF Apache Apache Opennlp
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-6501 Maven MEDIUM This Month

XML external entity (XXE) injection in jOpenDocument 1.5 allows authenticated remote attackers to trigger denial of service through XML bomb attacks (billion laughs) by submitting specially crafted documents. The vulnerability affects document parsing functionality and requires valid user authentication, limiting but not eliminating real-world risk in multi-tenant or collaborative document processing environments. EPSS and KEV status not provided, but SSVC framework indicates automatable exploitation with partial technical impact.

XXE Jopendocument
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-14543 HIGH PATCH This Week

XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers to exfiltrate sensitive data and cause denial of service through maliciously crafted XML documents processed by the DDS middleware. Affects versions 4.3x through 7.6.x across all major release branches (4.3x-7.4.0), with vendor patch available but no public exploit identified at time of analysis. CVSS 8.8 (High) reflects network attack vector with high confidentiality and availability impact but no integrity compromise, consistent with typical XXE data exfiltration and resource exhaustion scenarios. SSVC assessment indicates non-automatable exploitation with partial technical impact, suggesting targeted attack scenarios rather than mass exploitation.

XXE Connext Professional
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2024-13971 HIGH PATCH This Week

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Lobster Pro
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2024-39847 HIGH This Week

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE 4D Server
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-36765 HIGH This Week

XML external entity injection in SpringBlade v4.8.0's /designer/loadReport endpoint enables authenticated attackers to execute arbitrary code remotely. The vulnerability requires low-privilege authentication (PR:L) but no other special conditions (AC:L, UI:N), allowing attackers with basic credentials to compromise confidentiality, integrity, and availability. EPSS probability is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No CISA KEV listing confirms this is not yet widely exploited in the wild, though a GitHub issue documents the flaw suggesting proof-of-concept details may exist.

XXE RCE N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6807 MEDIUM CISA This Month

XML External Entity (XXE) injection in GRASSMARLIN v3.2.1 allows authenticated local users to extract sensitive information through crafted session data that exploits insufficient XML parser hardening. The vulnerability has a CVSS score of 5.5 with local attack vector and high confidentiality impact, affecting users with login credentials on systems running the affected version.

XXE Grassmarlin
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-41674 npm HIGH PATCH GHSA This Week

{requireWellFormed: true} to serializeToString() to enable validation guards; default behavior remains vulnerable to preserve backward compatibility with DOM Parsing spec.

XXE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41066 PyPI HIGH PATCH GHSA This Week

Using either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files. lxml 6.1.0 changes the default to `resolve_entities='internal'`, thus disallowing local file access by default. Setting the `resolve_entities` option explicitly to `resolve_entities='internal'` or `resolve_entities=False` disables the local file access. Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to `resolve_entities='internal'` for the normal XML and HTML parsers in lxml 5.0. The default was not changed for `iterparse()` and `ETCompatXMLParser()` at the time. lxml 6.1 makes the safe option the default for all parsers.

XXE Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-8010 LOW PATCH Monitor

The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Wso2 Api Manager
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2024-2374 HIGH PATCH This Week

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Denial Of Service Wso2 Api Manager Wso2 Identity Server Wso2 Open Banking Am +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40882 Maven HIGH PATCH GHSA This Week

{ return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.

XXE SSRF Java
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-40042 CRITICAL Act Now

XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

XXE Pachno
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-33737 MEDIUM PATCH This Month

Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allow authenticated attackers to read arbitrary server files through XML External Entity (XXE) injection via improper use of simplexml_load_string() with the LIBXML_NOENT flag enabled across multiple application files. The vulnerability requires low-privilege authentication and medium attack complexity but grants high confidentiality impact with no integrity or availability impact; no public exploit code or active exploitation has been identified at the time of analysis.

XXE Chamilo Lms
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4374 HIGH PATCH This Week

XML External Entity (XXE) injection in RTI Connext Professional routing and service components allows remote unauthenticated attackers to exfiltrate sensitive data and trigger denial of service conditions. Affects multiple product families (Routing Service, Observability Collector, Recording Service, Queueing Service, Cloud Discovery Service) across versions 5.3.0 through 7.6.x. CVSS 8.8 (High) with network vector and no authentication required. EPSS probability remains low (0.04%, 11th percentile) with no confirmed active exploitation per CISA. Vendor patch available via RTI advisory.

XXE Connext Professional
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-34401 MEDIUM PATCH This Month

XML Notepad versions prior to 2.9.0.21 allow remote attackers to leak local file contents or capture NTLM credentials via crafted XML files with malicious DTDs, exploiting disabled-by-default DTD processing that automatically resolves external entities. The vulnerability requires user interaction (opening a malicious XML file) but poses significant confidentiality risk on Windows systems where NTLM credential interception is feasible. Microsoft released patched version 2.9.0.21 to address this XXE (XML External Entity) issue.

Microsoft XXE
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-29924 HIGH This Week

Grav CMS versions 1.7.x and earlier allow XML External Entity (XXE) injection through SVG file uploads in the administrative panel and File Manager plugin, potentially enabling remote code execution or information disclosure to authenticated administrators. No CVSS score, CVSS vector, or CWE classification has been assigned; exploitation status and patch availability cannot be confirmed from available data.

XXE File Upload
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-4980 MEDIUM PATCH This Month

Inkscape 1.1 before 1.3 contains a local file disclosure vulnerability in XInclude processing that allows unauthenticated remote attackers to read arbitrary files from an affected system by crafting malicious SVG files with xi:include tags. The vulnerability has a moderate CVSS score of 6.3 but carries high confidentiality impact; no public exploit code or active exploitation has been confirmed at the time of analysis. Upstream fixes are available via GitLab merge requests, and users should upgrade to version 1.3 or later.

XXE Inkscape
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-33913 HIGH This Week

OpenEMR versions prior to 8.0.0.3 contain an XML External Entity (XXE) injection vulnerability in the Carecoordination module that allows authenticated users to read arbitrary files from the server. Attackers can exploit this by uploading a maliciously crafted CCDA document containing XXE payloads to access sensitive server files such as /etc/passwd. A patch is available in version 8.0.0.3, and this vulnerability has a CVSS score of 7.7 with high confidentiality impact.

XXE Openemr
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-28809 MEDIUM This Month

A SSRF vulnerability (CVSS 6.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.

XXE SSRF Kubernetes
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-33371 MEDIUM This Month

An XML External Entity (XXE) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Exchange Web Services (EWS) SOAP interface due to improper XML input handling. An authenticated attacker can submit crafted XML payloads to an XML parser with external entity resolution enabled, potentially disclosing sensitive local files from the server. No CVSS score, EPSS data, or known exploitation-in-the-wild status is currently available, though the vulnerability has been documented in Zimbra's security advisory system.

XXE Microsoft
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3511 HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the XMLUtils.java component of Slovensko.Digital Autogram allows remote unauthenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and read local files from the filesystem. The vulnerability affects Autogram software and can be exploited when a victim visits a specially crafted website that sends malicious XML to the application's local HTTP server /sign endpoint. A blog post detailing exploitation research is publicly available, increasing the likelihood of exploitation attempts.

XXE Java Authentication Bypass SSRF Autogram
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-32251 MEDIUM This Month

Tolgee is an open-source localization platform. versions up to 3.166.3 is affected by improper restriction of xml external entity reference.

XXE Google Android
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27807 MEDIUM This Month

Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).

XXE Denial Of Service Markus
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-28770 HIGH POC This Week

XML injection in the IDC SFX2100 satellite receiver web interface allows authenticated attackers to inject arbitrary XML elements and execute reflected cross-site scripting attacks through unsanitized input in the checkifdone.cgi script. Public exploit code exists for this vulnerability, and potential for more severe attacks such as XXE exploitation has not been ruled out. No patch is currently available for affected firmware versions.

XSS XXE Sfx2100 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1567 HIGH This Week

Infosphere Information Server versions up to 11.7.1.6 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM XXE Infosphere Information Server
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-3404 LOW POC Monitor

Jeesite versions up to 5.15.1. contains a vulnerability that allows attackers to xml external entity reference (CVSS 5.0).

Java XXE
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-2252 HIGH This Week

Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. A patch is currently unavailable, though Xerox recommends upgrading to version 8.1.0.

SSRF XXE Freeflow Core
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-36247 HIGH This Week

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM Linux Windows XXE Db2
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-2536 LOW Monitor

OpenCC JFlow versions up to 20260129 contain an XML External Entity (XXE) injection vulnerability in the Workflow Engine's file handling component that allows authenticated remote attackers to read sensitive files or perform denial of service attacks. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. The issue affects Java-based deployments and requires valid credentials to exploit.

Java XXE
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2020-37192 MEDIUM POC This Month

MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. [CVSS 6.2 MEDIUM]

XXE
NVD Exploit-DB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-1227 This Week

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.

Industrial XXE Denial Of Service
NVD
EPSS
0.0%
CVE-2026-2074 LOW POC Monitor

O2OA versions up to 9.0.0 contain an XML external entity (XXE) injection vulnerability in the /x_program_center/jaxrs/mpweixin/check HTTP POST handler that allows authenticated remote attackers to read sensitive files or conduct denial-of-service attacks. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires valid credentials but can be executed over the network without user interaction.

XXE O2oa
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-23739 LOW Monitor

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can ...

XXE Asterisk Certified Asterisk
NVD GitHub
CVSS 3.1
2.0
EPSS
0.1%
CVE-2026-23795 Maven MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-13096 HIGH This Week

IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. [CVSS 7.1 HIGH]

IBM XXE Business Automation Workflow
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-21569 HIGH This Week

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions.

Atlassian Confluence XXE Crowd
NVD VulDB
CVSS 3.0
7.9
EPSS
0.1%
CVE-2026-24400 Maven CRITICAL PATCH Act Now

XXE (XML External Entity) injection in AssertJ Java testing library from 1.4.0 to before 3.27.7 allows reading arbitrary files when parsing XML assertions. Patch available.

Java SSRF XXE Denial Of Service Assertj +2
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-65482 Maven CRITICAL PATCH Act Now

XDocReport v0.9.2 through v2.0.3 has an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files, perform SSRF, and potentially achieve remote code execution.

XXE Xdocreport
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1218 LOW Monitor

XXE injection in Bjskzy Zhiyou ERP through the RichClientService component allows authenticated attackers to read sensitive files and manipulate XML data from the network. Public exploit code exists for this vulnerability affecting versions up to 11.0, and the vendor has not provided a patch despite early disclosure notification.

XXE
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14478 HIGH This Week

Demo Importer Plus (WordPress plugin) is affected by improper restriction of xml external entity reference (CVSS 7.5).

WordPress PHP XXE
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2022-50899 MEDIUM POC This Month

Geonetwork versions up to 4.2.0 is affected by improper restriction of xml external entity reference (CVSS 6.5).

XXE Geonetwork
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68493 Maven HIGH PATCH This Week

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Apache Struts XXE
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22186 Maven HIGH This Week

Bio-Formats versions up to 8.3.0 contain an XML External Entity (XXE) injection vulnerability in the Leica Microsystems metadata parser that fails to disable external entity expansion. A local attacker can exploit this by crafting malicious XML metadata files to trigger server-side request forgery, read local files, or cause denial of service. No patch is currently available.

XXE Denial Of Service SSRF Bio Formats
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-36589 HIGH This Week

Unisphere For Powermax versions up to 9.2.4.18 is affected by improper restriction of xml external entity reference (CVSS 7.6).

XXE Unisphere For Powermax Virtual Appliance Unisphere For Powermax
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-68280 Maven MEDIUM PATCH This Month

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...

Apache Java XXE Spatial Information System
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68463 PyPI MEDIUM PATCH This Month

Biopython's Bio.Entrez module through version 1.86 is vulnerable to XML external entity (XXE) injection in doctype parsing, allowing authenticated remote attackers to read arbitrary files or cause denial of service. The vulnerability requires authenticated access and high attack complexity, resulting in a CVSS score of 4.9 with low confidentiality and availability impact across trust boundaries. Exploitation is not currently tracked in CISA KEV and has extremely low EPSS probability (0.07%, 20th percentile), indicating limited real-world risk despite the XXE vector.

XXE
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-61821 MEDIUM This Month

Arbitrary file read in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier stems from an XML External Entity (XXE) flaw (CWE-611) that lets remote unauthenticated attackers retrieve sensitive files from the server. Adobe rates the issue 8.6 (CVSS 3.1) with a scope change, and no public exploit is identified at time of analysis, though the description notes exploitation depends on conditions beyond the attacker's control.

XXE Coldfusion
NVD VulDB
CVSS 3.1
6.8
EPSS
0.5%
CVE-2025-61813 HIGH This Week

XML External Entity (XXE) injection in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier allows remote attackers to read arbitrary files from the server filesystem via maliciously crafted XML documents requiring user interaction. The vulnerability achieves scope change (CVSS S:C), meaning exploitation can affect resources beyond the vulnerable component. Adobe has released patches in APSB25-105. No confirmed active exploitation (CISA KEV) or public POC identified at time of analysis. EPSS data not available.

XXE
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-66516 Maven HIGH POC PATCH This Week

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

XXE Apache Ubuntu Debian Tika +1
NVD GitHub
CVSS 3.1
8.4
EPSS
1.5%
CVE-2025-65868 HIGH POC This Week

XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.

XXE Denial Of Service Eyoucms
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-66372 Maven LOW PATCH Monitor

Mustang before 2.16.3 allows exfiltrating files via XXE attacks. Rated low severity (CVSS 2.8). No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
2.8
EPSS
0.0%
CVE-2025-66371 PyPI MEDIUM PATCH This Month

Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
EPSS 1% CVSS 9.6
CRITICAL Act Now

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.

RCE XXE Adobe +3
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.

XXE Dell Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

XXE injection in Foxit PDF Editor and Foxit PDF Reader exposes any local file readable by the victim user when they open a maliciously crafted document disguised as a PDF. The parser processes documents that are not structurally valid PDFs, resolving attacker-controlled external XML entities that reference local filesystem paths via file:// or similar protocols, enabling out-of-band exfiltration of sensitive local files. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is gated by user interaction (UI:R), limiting opportunistic mass exploitation.

XXE Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 7.6
HIGH PATCH This Week

Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.

XXE SSRF Java +1
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the well-understood XXE attack class combined with the availability of a fix version makes patching straightforward and strongly advisable.

XXE Apache Lucene Net
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

XML external entity (XXE) injection in IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 lets a remote, unauthenticated attacker submit crafted XML to the application's XML parser to read sensitive files or exhaust memory. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) but has no public exploit identified at time of analysis, and EPSS is low at 0.39% (31st percentile). Reported by IBM PSIRT with a vendor advisory published (IBM support node 7278532).

XXE IBM Business Automation Manager
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. CVSS is 8.5 (scope-changed, high availability impact); no public exploit identified at time of analysis.

XXE SSRF Denial Of Service +1
NVD
EPSS 0% CVSS 2.6
LOW PATCH Monitor

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.

XXE SSRF Nokogiri
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. Exploitation requires the attacker to influence what the Assembla endpoint returns, so it is a targeted rather than mass-exploitable condition.

XXE SSRF Jenkins +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

XML External Entity (XXE) injection in zhilink ADP Application Developer Platform 1.0.0 enables authenticated remote attackers to manipulate the XML parser at the /adpweb/a/base/barcodeDetail/import endpoint, potentially exposing local files or facilitating server-side request forgery against internal infrastructure. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege exploitation with a publicly disclosed proof-of-concept published on Feishu. The vendor did not respond to pre-disclosure contact, leaving no official patch available at time of analysis.

XXE Adp Application Developer Platform
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. No public exploit identified at time of analysis, but the scope change (S:C in CVSS) reflects that exploitation occurs inside processes running with elevated privileges, amplifying the potential impact of any upstream compromise that enables config tampering.

XXE Pam Usb
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XML External Entity injection in the HAPI FHIR core library (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities, versions <= 6.9.9) lets an attacker who controls or MITMs XML routed through XsltUtilities.saxonTransform(...) read local files and perform blind XXE/SSRF. The three saxonTransform overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl that resolves external general and parameter entities, unlike the co-located transform() siblings that use the project's hardened XXE-protected factory. Publicly available exploit code exists (a full end-to-end PoC accompanies the GitHub advisory), though there is no public exploit identified as actively used in the wild.

Apache Java XXE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to trigger out-of-band external entity resolution via the EndpointReferenceUtils and W3CMultiSchemaFactory classes, which instantiate SAXParserFactory without JAXP hardening. While CVSS scores this 9.8 critical, EPSS reports only 0.02% exploitation probability, and there is no public exploit identified at time of analysis. Successful exploitation could enable data exfiltration, SSRF, or denial-of-service against applications that process attacker-controlled XML through CXF web services.

Apache XXE Cxf
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath evaluation over StreamSource and SAXSource inputs because the underlying parser falls back to the JDK's default DocumentBuilderFactory rather than Spring's hardened configuration. Affected versions span the 3.1.x, 4.0.x, 4.1.x and 5.0.x release lines, and while no public exploit was identified at time of analysis, the CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates that any service that feeds untrusted XML through this template can be reached by unauthenticated remote attackers. The flaw was reported by VMware/Spring and is tracked in the official Spring security advisory.

Java XXE Spring Web Services
NVD VulDB HeroDevs
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. No confirmed active exploitation exists (not in CISA KEV), and no public exploit has been identified at time of analysis; however, the High confidentiality impact against developer and CI environments warrants prompt patching.

XXE Java
NVD HeroDevs VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Arbitrary file read in Adobe ColdFusion 2023.19, 2025.8 and earlier allows remote unauthenticated attackers to exfiltrate sensitive files from the host filesystem via a malicious XML document that a victim opens through the application. The scope-changed CVSS 7.4 reflects that exploitation can impact resources beyond ColdFusion's own security context, though success hinges on user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XXE Coldfusion
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Server-side file disclosure in Schneider Electric EcoStruxure IT Data Center Expert v9.1.1 and prior allows authenticated users to read arbitrary files on the underlying host by submitting crafted XML payloads to SOAP service endpoints. The flaw stems from improper restriction of XML External Entity references (CWE-611) in the SOAP API. No public exploit identified at time of analysis, but CISA SSVC marks the issue as automatable with partial technical impact.

XXE Information Disclosure Ecostruxure It Data Center Expert
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.

Denial Of Service XXE SSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local file disclosure and denial of service in the Docling document-conversion library (Python pip package, versions 2.45.0 up to 2.91.0) stem from its METS-GBS backend parsing XML and extracting archives without security controls. A maliciously crafted METS-GBS archive processed by Docling can trigger XML External Entity (XXE) resolution to read sensitive local files, or use decompression/zip bombs and unbounded tar extraction to exhaust memory and disk. EPSS is very low (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis; exploitation requires a victim application to process attacker-supplied input.

Denial Of Service XXE
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

XXE injection in IntelliJ IDEA's UI Designer form parser exposes local file contents to disclosure when a developer opens a maliciously crafted `.form` file in any version prior to 2026.1. The vulnerability arises because the XML parser fails to restrict external entity references (CWE-611), enabling an attacker-supplied document to read arbitrary local files accessible to the IDE process. No public exploit or CISA KEV listing exists at time of analysis; the low CVSS score of 3.3 reflects the local attack vector and requirement for user interaction, limiting real-world impact compared to network-exploitable XXE.

XXE Intellij Idea
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XML External Entity (XXE) local file disclosure in Symfony's DomCrawler component allows remote attackers to read arbitrary server-side files when an application parses attacker-controlled XML via Crawler::addXmlContent(). The method explicitly set DOMDocument::$validateOnParse = true, which re-enabled libxml DTD subset processing and external entity resolution; because LIBXML_NONET only blocks network fetches and not file:// entities, an entity such as SYSTEM "file:///etc/passwd" is expanded and its contents exposed. EPSS is very low (0.05%, 17th percentile) and there is no public exploit identified at time of analysis, though the vendor commit ships a demonstrative test case.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).

XXE Pentaho Data Integration And Analytics
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

XML External Entity (XXE) injection in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows authenticated attackers to disclose sensitive information or exhaust memory resources by submitting crafted XML data to the application. The flaw carries a CVSS 7.1 (High) rating with low attack complexity over the network, but EPSS is only 0.02% (5th percentile) and there is no public exploit identified at time of analysis. SSVC classifies exploitation as 'none' with partial technical impact, indicating low immediate urgency despite the vendor-released patch.

XXE IBM Engineering Lifecycle Management
NVD VulDB
EPSS 0% CVSS 5.3
PATCH This Week

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Apache XXE Apache Cxf
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

XML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_search) allows a high-privileged authenticated attacker to cause the server to disclose local file contents or perform outbound HTTP requests (SSRF), with retrieved data written to the search index. Exploitation requires placing a crafted XLSX or PPTX document into a directory processed by the indexer. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XXE Extension Faceted Search
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

XML External Entity (XXE) injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to disclose local files or perform Server-Side Request Forgery (SSRF) attacks via malicious XML input to unsafe XStream parsing entry points (PamirsXmlUtils.fromXML, ViewXmlUtils.fromXML). The vulnerability has network attack vector with low complexity (CVSS:3.1 AV:N/AC:L/PR:N) and is automatable per SSVC framework, though no active exploitation or public POC has been confirmed at time of analysis. EPSS data not available; CISA KEV status: not listed.

XXE SSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances.

XXE Cisco Cisco Catalyst Sd Wan Manager
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

XML External Entity (XXE) injection in ERPNext's EDI Module allows authenticated low-privilege attackers to read arbitrary files from the server's local filesystem, including sensitive configuration files that may contain database credentials or API keys. Affected are all ERPNext installations on the v15 branch prior to 15.104.3 and on the v16 branch prior to 16.12.0 (cpe:2.3:a:frappe:erpnext:*). No public exploit identified at time of analysis, EPSS exploitation probability sits at 0.06% (18th percentile), and CISA SSVC assesses exploitation as none and the attack as non-automatable - collectively placing this at lower operational priority despite its network-accessible attack vector.

XXE Erpnext
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload (XML Bomb). When processed by Docling, the exponential expansion of entities leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

XXE Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

XXE Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Attribute injection in fast-xml-builder npm package allows attackers to inject malicious HTML/XML attributes when processEntities flag is disabled. Affected versions through 1.1.6 fail to properly sanitize quote characters in attribute values, enabling injection of arbitrary attributes like onClick handlers for cross-site scripting attacks. Patch available in version 1.1.7. EPSS and KEV data not available for this vulnerability, suggesting limited observed exploitation targeting this specific library, though the attack technique is well-understood.

XXE Red Hat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE
NVD VulDB
EPSS 1% CVSS 7.3
HIGH POC PATCH This Week

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

XML external entity injection in Vvveb CMS versions before 1.0.8.2 allows authenticated site_admin users to read arbitrary server files and overwrite administrator password hashes via the admin Tools/Import feature. The vulnerability resides in system/import/xml.php where LIBXML_NOENT flag enabled external entity resolution, allowing injection of file:// and php://filter protocols. Attackers with low-privilege admin accounts can escalate to full administrator access by replacing password hashes in the database. Vendor-released patch version 1.0.8.2 removes LIBXML_NOENT flag. No active exploitation confirmed by CISA KEV at time of analysis.

XXE Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

XML External Entity injection in OpenCMS (versions through v20) allows remote unauthenticated attackers to achieve information disclosure, server-side request forgery, or arbitrary code execution via malicious .zip files uploaded to the Admin Import DB feature. The vulnerability stems from unsafe XML parsing of manifest.xml files within these archives. Despite a maximum CVSS 9.8 score, the real-world risk is limited by the administrative-only attack surface - exploitation requires access to privileged admin import functionality. No active exploitation confirmed (not in CISA KEV), and EPSS score of 0.03% (7th percentile) indicates minimal observed threat activity. Upstream fix available via GitHub commit e3e41e5a, though a tagged release version has not been independently verified.

XXE N A
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

XML External Entity (XXE) injection in changedetection.io version 0.54.9 and earlier allows local file disclosure when processing attacker-controlled XML or RSS feeds. The xpath_filter() function in html_tools.py creates an lxml parser without disabling external entity resolution, enabling attackers to embed DOCTYPE declarations that read sensitive files from the host system. Extracted content appears in watch output, diff history, and notification channels. No vendor-released patch identified at time of analysis. CVSS 8.2 reflects high confidentiality impact with attack complexity high due to specific runtime parser behavior requirements.

XXE
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

XML External Entity injection in Apache OpenNLP's DictionaryEntryPersistor allows remote unauthenticated attackers to disclose local files or perform server-side request forgery when processing untrusted dictionary files. The vulnerable SAX parser initialization omits critical security features (FEATURE_SECURE_PROCESSING, DTD disablement) present elsewhere in the codebase, creating an inconsistency exploitable via the public Dictionary(InputStream) API when loading stop-word lists or domain dictionaries. With EPSS at 0.03% (8th percentile) and no active exploitation reported, this represents a code-quality issue in a specific input path rather than an imminent widespread threat, though the CVSS 9.1 reflects maximum theoretical impact given the network-accessible, unauthenticated attack vector.

XXE SSRF Apache +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

XML external entity (XXE) injection in jOpenDocument 1.5 allows authenticated remote attackers to trigger denial of service through XML bomb attacks (billion laughs) by submitting specially crafted documents. The vulnerability affects document parsing functionality and requires valid user authentication, limiting but not eliminating real-world risk in multi-tenant or collaborative document processing environments. EPSS and KEV status not provided, but SSVC framework indicates automatable exploitation with partial technical impact.

XXE Jopendocument
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers to exfiltrate sensitive data and cause denial of service through maliciously crafted XML documents processed by the DDS middleware. Affects versions 4.3x through 7.6.x across all major release branches (4.3x-7.4.0), with vendor patch available but no public exploit identified at time of analysis. CVSS 8.8 (High) reflects network attack vector with high confidentiality and availability impact but no integrity compromise, consistent with typical XXE data exfiltration and resource exhaustion scenarios. SSVC assessment indicates non-automatable exploitation with partial technical impact, suggesting targeted attack scenarios rather than mass exploitation.

XXE Connext Professional
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Lobster Pro
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE 4D Server
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

XML external entity injection in SpringBlade v4.8.0's /designer/loadReport endpoint enables authenticated attackers to execute arbitrary code remotely. The vulnerability requires low-privilege authentication (PR:L) but no other special conditions (AC:L, UI:N), allowing attackers with basic credentials to compromise confidentiality, integrity, and availability. EPSS probability is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No CISA KEV listing confirms this is not yet widely exploited in the wild, though a GitHub issue documents the flaw suggesting proof-of-concept details may exist.

XXE RCE N A
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

XML External Entity (XXE) injection in GRASSMARLIN v3.2.1 allows authenticated local users to extract sensitive information through crafted session data that exploits insufficient XML parser hardening. The vulnerability has a CVSS score of 5.5 with local attack vector and high confidentiality impact, affecting users with login credentials on systems running the affected version.

XXE Grassmarlin
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

{requireWellFormed: true} to serializeToString() to enable validation guards; default behavior remains vulnerable to preserve backward compatibility with DOM Parsing spec.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Using either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files. lxml 6.1.0 changes the default to `resolve_entities='internal'`, thus disallowing local file access by default. Setting the `resolve_entities` option explicitly to `resolve_entities='internal'` or `resolve_entities=False` disables the local file access. Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to `resolve_entities='internal'` for the normal XML and HTML parsers in lxml 5.0. The default was not changed for `iterparse()` and `ETCompatXMLParser()` at the time. lxml 6.1 makes the safe option the default for all parsers.

XXE Suse Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 3.5
LOW PATCH Monitor

The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Wso2 Api Manager
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Denial Of Service Wso2 Api Manager +4
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

{ return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.

XXE SSRF Java
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

XXE Pachno
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allow authenticated attackers to read arbitrary server files through XML External Entity (XXE) injection via improper use of simplexml_load_string() with the LIBXML_NOENT flag enabled across multiple application files. The vulnerability requires low-privilege authentication and medium attack complexity but grants high confidentiality impact with no integrity or availability impact; no public exploit code or active exploitation has been identified at the time of analysis.

XXE Chamilo Lms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

XML External Entity (XXE) injection in RTI Connext Professional routing and service components allows remote unauthenticated attackers to exfiltrate sensitive data and trigger denial of service conditions. Affects multiple product families (Routing Service, Observability Collector, Recording Service, Queueing Service, Cloud Discovery Service) across versions 5.3.0 through 7.6.x. CVSS 8.8 (High) with network vector and no authentication required. EPSS probability remains low (0.04%, 11th percentile) with no confirmed active exploitation per CISA. Vendor patch available via RTI advisory.

XXE Connext Professional
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

XML Notepad versions prior to 2.9.0.21 allow remote attackers to leak local file contents or capture NTLM credentials via crafted XML files with malicious DTDs, exploiting disabled-by-default DTD processing that automatically resolves external entities. The vulnerability requires user interaction (opening a malicious XML file) but poses significant confidentiality risk on Windows systems where NTLM credential interception is feasible. Microsoft released patched version 2.9.0.21 to address this XXE (XML External Entity) issue.

Microsoft XXE
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Grav CMS versions 1.7.x and earlier allow XML External Entity (XXE) injection through SVG file uploads in the administrative panel and File Manager plugin, potentially enabling remote code execution or information disclosure to authenticated administrators. No CVSS score, CVSS vector, or CWE classification has been assigned; exploitation status and patch availability cannot be confirmed from available data.

XXE File Upload
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Inkscape 1.1 before 1.3 contains a local file disclosure vulnerability in XInclude processing that allows unauthenticated remote attackers to read arbitrary files from an affected system by crafting malicious SVG files with xi:include tags. The vulnerability has a moderate CVSS score of 6.3 but carries high confidentiality impact; no public exploit code or active exploitation has been confirmed at the time of analysis. Upstream fixes are available via GitLab merge requests, and users should upgrade to version 1.3 or later.

XXE Inkscape
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

OpenEMR versions prior to 8.0.0.3 contain an XML External Entity (XXE) injection vulnerability in the Carecoordination module that allows authenticated users to read arbitrary files from the server. Attackers can exploit this by uploading a maliciously crafted CCDA document containing XXE payloads to access sensitive server files such as /etc/passwd. A patch is available in version 8.0.0.3, and this vulnerability has a CVSS score of 7.7 with high confidentiality impact.

XXE Openemr
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

A SSRF vulnerability (CVSS 6.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.

XXE SSRF Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

An XML External Entity (XXE) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Exchange Web Services (EWS) SOAP interface due to improper XML input handling. An authenticated attacker can submit crafted XML payloads to an XML parser with external entity resolution enabled, potentially disclosing sensitive local files from the server. No CVSS score, EPSS data, or known exploitation-in-the-wild status is currently available, though the vulnerability has been documented in Zimbra's security advisory system.

XXE Microsoft
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the XMLUtils.java component of Slovensko.Digital Autogram allows remote unauthenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and read local files from the filesystem. The vulnerability affects Autogram software and can be exploited when a victim visits a specially crafted website that sends malicious XML to the application's local HTTP server /sign endpoint. A blog post detailing exploitation research is publicly available, increasing the likelihood of exploitation attempts.

XXE Java Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Tolgee is an open-source localization platform. versions up to 3.166.3 is affected by improper restriction of xml external entity reference.

XXE Google Android
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).

XXE Denial Of Service Markus
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

XML injection in the IDC SFX2100 satellite receiver web interface allows authenticated attackers to inject arbitrary XML elements and execute reflected cross-site scripting attacks through unsanitized input in the checkifdone.cgi script. Public exploit code exists for this vulnerability, and potential for more severe attacks such as XXE exploitation has not been ruled out. No patch is currently available for affected firmware versions.

XSS XXE Sfx2100 Firmware
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Infosphere Information Server versions up to 11.7.1.6 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM XXE Infosphere Information Server
NVD
EPSS 0% CVSS 1.3
LOW POC Monitor

Jeesite versions up to 5.15.1. contains a vulnerability that allows attackers to xml external entity reference (CVSS 5.0).

Java XXE
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. A patch is currently unavailable, though Xerox recommends upgrading to version 8.1.0.

SSRF XXE Freeflow Core
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM Linux Windows +2
NVD
EPSS 0% CVSS 2.1
LOW Monitor

OpenCC JFlow versions up to 20260129 contain an XML External Entity (XXE) injection vulnerability in the Workflow Engine's file handling component that allows authenticated remote attackers to read sensitive files or perform denial of service attacks. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. The issue affects Java-based deployments and requires valid credentials to exploit.

Java XXE
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM POC This Month

MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. [CVSS 6.2 MEDIUM]

XXE
NVD Exploit-DB
EPSS 0%
This Week

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.

Industrial XXE Denial Of Service
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

O2OA versions up to 9.0.0 contain an XML external entity (XXE) injection vulnerability in the /x_program_center/jaxrs/mpweixin/check HTTP POST handler that allows authenticated remote attackers to read sensitive files or conduct denial-of-service attacks. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires valid credentials but can be executed over the network without user interaction.

XXE O2oa
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can ...

XXE Asterisk Certified Asterisk
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
EPSS 0% CVSS 7.1
HIGH This Week

IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. [CVSS 7.1 HIGH]

IBM XXE Business Automation Workflow
NVD
EPSS 0% CVSS 7.9
HIGH This Week

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions.

Atlassian Confluence XXE +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

XXE (XML External Entity) injection in AssertJ Java testing library from 1.4.0 to before 3.27.7 allows reading arbitrary files when parsing XML assertions. Patch available.

Java SSRF XXE +4
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

XDocReport v0.9.2 through v2.0.3 has an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files, perform SSRF, and potentially achieve remote code execution.

XXE Xdocreport
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

XXE injection in Bjskzy Zhiyou ERP through the RichClientService component allows authenticated attackers to read sensitive files and manipulate XML data from the network. Public exploit code exists for this vulnerability affecting versions up to 11.0, and the vendor has not provided a patch despite early disclosure notification.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Demo Importer Plus (WordPress plugin) is affected by improper restriction of xml external entity reference (CVSS 7.5).

WordPress PHP XXE
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Geonetwork versions up to 4.2.0 is affected by improper restriction of xml external entity reference (CVSS 6.5).

XXE Geonetwork
NVD Exploit-DB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Apache Struts XXE
NVD HeroDevs VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Bio-Formats versions up to 8.3.0 contain an XML External Entity (XXE) injection vulnerability in the Leica Microsystems metadata parser that fails to disable external entity expansion. A local attacker can exploit this by crafting malicious XML metadata files to trigger server-side request forgery, read local files, or cause denial of service. No patch is currently available.

XXE Denial Of Service SSRF +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Unisphere For Powermax versions up to 9.2.4.18 is affected by improper restriction of xml external entity reference (CVSS 7.6).

XXE Unisphere For Powermax Virtual Appliance Unisphere For Powermax
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...

Apache Java XXE +1
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Biopython's Bio.Entrez module through version 1.86 is vulnerable to XML external entity (XXE) injection in doctype parsing, allowing authenticated remote attackers to read arbitrary files or cause denial of service. The vulnerability requires authenticated access and high attack complexity, resulting in a CVSS score of 4.9 with low confidentiality and availability impact across trust boundaries. Exploitation is not currently tracked in CISA KEV and has extremely low EPSS probability (0.07%, 20th percentile), indicating limited real-world risk despite the XXE vector.

XXE
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

Arbitrary file read in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier stems from an XML External Entity (XXE) flaw (CWE-611) that lets remote unauthenticated attackers retrieve sensitive files from the server. Adobe rates the issue 8.6 (CVSS 3.1) with a scope change, and no public exploit is identified at time of analysis, though the description notes exploitation depends on conditions beyond the attacker's control.

XXE Coldfusion
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

XML External Entity (XXE) injection in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier allows remote attackers to read arbitrary files from the server filesystem via maliciously crafted XML documents requiring user interaction. The vulnerability achieves scope change (CVSS S:C), meaning exploitation can affect resources beyond the vulnerable component. Adobe has released patches in APSB25-105. No confirmed active exploitation (CISA KEV) or public POC identified at time of analysis. EPSS data not available.

XXE
NVD VulDB
EPSS 1% CVSS 8.4
HIGH POC PATCH This Week

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

XXE Apache Ubuntu +3
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.

XXE Denial Of Service Eyoucms
NVD GitHub
EPSS 0% CVSS 2.8
LOW PATCH Monitor

Mustang before 2.16.3 allows exfiltrating files via XXE attacks. Rated low severity (CVSS 2.8). No vendor patch available.

XXE
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub
Page 1 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy