Skip to main content

XXE

1231 CVEs technique

Monthly

CVE-2025-66370 MEDIUM This Month

Kivitendo before 3.9.2 allows XXE injection. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-58360 Maven HIGH POC KEV PATCH THREAT Act Now

GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks.

XXE Geoserver
NVD GitHub
CVSS 3.1
8.2
EPSS
86.0%
Threat
7.2
CVE-2025-63917 HIGH POC This Month

PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Denial Of Service Information Disclosure SSRF Pdfpatcher
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-13209 LOW Monitor

A weakness has been identified in bestfeng oa_git_free up to 9.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11700 HIGH POC THREAT Act Now

N-able N-central remote monitoring and management platform versions before 2025.4 contain multiple XML External Entity injection vulnerabilities. Attackers can exploit these to read sensitive files from the RMM server, including configuration files containing credentials for all managed endpoints.

XXE Information Disclosure N Central
NVD
CVSS 4.0
8.4
EPSS
51.2%
Threat
4.7
CVE-2025-64518 Maven HIGH PATCH This Month

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63551 HIGH POC This Month

A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF Metinfo
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-10713 Maven MEDIUM This Month

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Api Control Plane Api Manager Enterprise Integrator Identity Server +4
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-12531 HIGH This Month

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Infosphere Information Server
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-11341 MEDIUM POC This Month

A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

XXE Jinher Oa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-20369 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.

XXE Denial Of Service Splunk Cloud Platform Splunk
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-48006 HIGH This Month

Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Dataspider Servista
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-11140 MEDIUM POC This Month

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11035 LOW POC Monitor

A vulnerability was determined in Jinher OA 2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-10816 MEDIUM POC This Month

A security flaw has been discovered in Jinher OA 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-10183 CRITICAL This Week

A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-10092 MEDIUM POC This Month

A vulnerability was found in Jinher OA up to 1.2. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-10091 MEDIUM POC This Month

A vulnerability has been found in Jinher OA up to 1.2. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6984 PyPI HIGH POC PATCH This Week

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Langchain AI / ML Red Hat
NVD
CVSS 3.0
7.5
EPSS
1.9%
CVE-2023-7307 HIGH This Week

Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-35112 MEDIUM This Month

Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Path Traversal
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-57704 MEDIUM This Month

Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-47184 MEDIUM This Month

An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 before 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08 allows an authenticated, unprivileged attacker to achieve. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Privilege Escalation Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-54988 Maven HIGH PATCH This Month

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Apache Tika Red Hat
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-4044 HIGH This Month

Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

XXE Microsoft Windows
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-26484 MEDIUM This Month

Dell CloudLink, versions 8.0 through 8.1.1, contains an Improper Restriction of XML External Entity Reference vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Dell Denial Of Service XXE Cloudlink D-Link
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-40584 MEDIUM This Month

A vulnerability has been identified in SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2025-54992 MEDIUM This Month

OpenKilda is an open-source OpenFlow controller. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-8355 HIGH This Month

In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Freeflow Core
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-54254 HIGH POC This Month

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Adobe Experience Manager Forms
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2019-19144 CRITICAL Act Now

XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-7824 MEDIUM POC This Month

A vulnerability was found in Jinher OA 1.1. It has been rated as problematic. This issue affects some unknown processing of the file XmlHttp.aspx. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

XXE Jinher Oa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7823 MEDIUM POC This Month

A vulnerability was found in Jinher OA 1.2. It has been declared as problematic. This vulnerability affects unknown code of the file ProjectScheduleDelete.aspx. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

XXE Jinher Oa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-52162 MEDIUM This Month

XML External Entity (XXE) injection in agorum core open's RSSReader endpoint enables remote attackers to exfiltrate sensitive server-side data by submitting crafted XML payloads. Affected versions are v11.9.2 and v11.10.1 of this document management platform. EPSS exploitation probability sits at 0.22% (13th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA's KEV catalog - indicating low observed exploitation pressure despite the network-accessible, unauthenticated attack surface described by the CVSS vector.

XXE Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-53689 Maven HIGH PATCH This Week

Apache Jackrabbit versions prior to 2.23.2 contain blind XXE (XML External Entity) vulnerabilities in jackrabbit-spi-commons and jackrabbit-core components due to unsafe XML document parsing when loading privilege definitions. An authenticated attacker with low privileges can exploit this to achieve high-impact confidentiality, integrity, and availability compromise. The vulnerability requires user authentication (PR:L) but has no interaction requirement and affects all systems regardless of scope.

XXE Apache Java Information Disclosure Jackrabbit +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-7523 MEDIUM POC This Month

CVE-2025-7523 is an XML External Entity (XXE) injection vulnerability in Jinher OA 1.0 affecting the /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx endpoint. An unauthenticated remote attacker can exploit this to read sensitive files, modify data, or cause denial of service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

XXE
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6438 MEDIUM This Month

CVE-2025-6438 is a security vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

XXE
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2025-49544 MEDIUM This Month

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.

XXE Coldfusion
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-49539 MEDIUM This Month

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

XXE Coldfusion
NVD
CVSS 3.1
4.5
EPSS
0.0%
CVE-2025-49535 CRITICAL Act Now

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

XXE Denial Of Service Coldfusion
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-49493 MEDIUM POC PATCH This Month

CVE-2025-49493 is a security vulnerability (CVSS 5.8) that allows file inclusion. Remediation should follow standard vulnerability management procedures.

XXE
NVD GitHub
CVSS 3.1
5.8
EPSS
1.1%
CVE-2025-52888 Maven HIGH PATCH This Week

Allure 2 versions prior to 2.34.1 contain a critical XML External Entity (XXE) injection vulnerability in the xunit-xml-plugin that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem and potentially trigger SSRF attacks. The vulnerability stems from insecure XML parser configuration in the DocumentBuilderFactory and is exploitable by uploading or providing malicious test result XML files without any authentication or user interaction required.

XXE SSRF Information Disclosure Java
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-47293 Maven LOW PATCH Monitor

PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.

XXE SSRF
NVD GitHub
CVSS 4.0
2.7
EPSS
0.1%
CVE-2025-33121 HIGH This Week

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contain an XML External Entity (XXE) injection vulnerability that allows authenticated remote attackers to extract sensitive information or trigger denial-of-service conditions through memory exhaustion. The vulnerability requires valid credentials (CVSS PR:L) but has a high confidentiality impact (C:H) and affects a critical security infrastructure product. No publicly available evidence of active exploitation or public POCs has been confirmed at this time.

XXE IBM Information Disclosure Denial Of Service Qradar Security Information And Event Manager
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-36049 HIGH This Week

CVE-2025-36049 is a security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.

XXE IBM Webmethods Integration
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-44044 HIGH This Week

Keyoti SearchUnit versions prior to 9.0.0 contain an XML External Entity (XXE) injection vulnerability that allows unauthenticated remote attackers to exfiltrate sensitive files from affected systems. The vulnerability has a CVSS 3.1 score of 7.5 (High) with a network attack vector, no privileges required, and no user interaction needed. While no public POC or active in-the-wild exploitation has been widely documented, the straightforward attack vector and high confidentiality impact make this a significant risk for organizations running vulnerable SearchUnit instances.

XXE
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-30220 Maven CRITICAL POC PATCH Act Now

A remote code execution vulnerability in GeoServer (CVSS 9.9) that allows users. Risk factors: public PoC available. Vendor patch is available.

XXE Geonetwork Geotools Geoserver
NVD GitHub
CVSS 3.1
9.9
EPSS
8.4%
CVE-2025-31039 CRITICAL Act Now

CVE-2025-31039 is an XML External Entity (XXE) injection vulnerability in the Pixelgrade Category Icon WordPress plugin (versions through 1.0.2) that allows authenticated attackers with high privileges to read arbitrary files, execute remote code, or cause denial of service through improper XML entity validation. The vulnerability has a critical CVSS score of 9.1 but requires administrator-level privileges to exploit; active exploitation status and proof-of-concept availability are not confirmed from the provided intelligence.

XXE
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-5877 LOW POC Monitor

CVE-2025-5877 is a security vulnerability (CVSS 6.3). Risk factors: public PoC available.

Microsoft PHP XXE
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-48882 PHP HIGH PATCH This Week

PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2025-4338 MEDIUM This Month

Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-4949 Maven MEDIUM POC PATCH This Week

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XXE Information Disclosure Denial Of Service Jgit Red Hat +1
NVD
CVSS 4.0
6.8
EPSS
0.2%
CVE-2025-27523 HIGH This Month

XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Microsoft Windows
NVD
CVSS 3.1
8.7
EPSS
0.3%
CVE-2025-4641 Maven CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Microsoft Java Apple Windows +1
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2025-4639 HIGH This Month

1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 4.0
8.8
EPSS
0.2%
CVE-2025-47778 PHP MEDIUM PATCH This Month

Sulu is an open-source PHP content management system based on the Symfony framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE PHP
NVD GitHub
CVSS 4.0
6.1
EPSS
0.2%
CVE-2024-51445 HIGH This Month

A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Polarion Alm
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2025-30018 HIGH This Month

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SAP Supplier Relationship Management
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2025-2777 CRITICAL POC THREAT Emergency

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.6%.

XXE Sysaid
NVD
CVSS 3.1
9.3
EPSS
24.6%
Threat
4.1
CVE-2025-2776 CRITICAL POC KEV THREAT Emergency

SysAid On-Prem contains a second unauthenticated XXE injection in Server URL processing, providing an alternative attack path to the Checkin XXE (CVE-2025-2775) for admin takeover.

XXE Sysaid
NVD
CVSS 3.1
9.3
EPSS
62.6%
Threat
6.7
CVE-2025-2775 CRITICAL POC KEV THREAT Emergency

SysAid On-Prem versions through 23.3.40 contain an unauthenticated XXE injection in the Checkin processing, enabling administrator account takeover and file read primitives.

XXE Sysaid
NVD
CVSS 3.1
9.3
EPSS
69.8%
Threat
7.0
CVE-2025-22478 HIGH This Week

Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Dell Information Disclosure Storage Manager
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-46726 PyPI HIGH POC PATCH This Week

Langroid is a framework for building large-language-model-powered applications. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Langroid
NVD GitHub
CVSS 4.0
7.8
EPSS
0.4%
CVE-2025-2905 Maven CRITICAL PATCH Act Now

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Api Manager
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-34490 MEDIUM POC This Month

GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Mailessentials
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-2070 MEDIUM This Month

An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. No vendor patch available.

XXE
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-24911 MEDIUM This Month

Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2025-24910 MEDIUM This Month

Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2025-31497 HIGH This Week

TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-32406 HIGH This Week

An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 before 11.0.2 allows remote attackers fetch and parse the XML response. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2025-32138 MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection.11.17. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Google
NVD
CVSS 3.1
6.6
EPSS
0.3%
CVE-2025-3241 MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in zhangyanbo2007 youkefu up to 4.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Youkefu
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-31487 Maven HIGH PATCH This Week

The XWiki JIRA extension provides various integration points between XWiki and JIRA (macros, UI, CKEditor plugin). Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Atlassian
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2025-1781 HIGH POC This Week

There is a XXE in W3CSS Validator versions before cssval-20250226 that allows an attacker to use specially-crafted XML objects to coerce server-side request forgery (SSRF). Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF Css Validator
NVD GitHub
CVSS 4.0
8.4
EPSS
0.2%
CVE-2025-29932 MEDIUM Monitor

In JetBrains GoLand before 2025.1 an XXE during debugging was possible. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Goland
NVD
CVSS 3.1
4.1
EPSS
0.0%
CVE-2025-25036 MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.0.8 (SP8). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-25589 HIGH This Week

An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE RCE Java
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-2365 MEDIUM This Month

A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-0162 HIGH This Week

IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Aspera Shares
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-24521 MEDIUM This Month

External XML entity injection allows arbitrary download of files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2023-38693 Maven CRITICAL PATCH Act Now

Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-56525 CRITICAL Act Now

In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-55156 MEDIUM This Month

An XML External Entity (XXE) vulnerability in the deserializeArgs() method of Java SDK for CloudEvents v4.0.1 allows attackers to access sensitive information via supplying a crafted XML-formatted. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Java
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-49781 HIGH This Week

IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Openpages With Watson
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-47160 HIGH This Week

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE IBM Cognos Controller Controller
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2024-25066 MEDIUM POC This Month

RSA Authentication Manager before 8.7 SP2 Patch 1 allows XML External Entity (XXE) attacks via a license file, resulting in attacker-controlled files being stored on the product's server. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-1225 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03.java of the component WXCallBack Interface. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Yimioa
NVD VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2024-54171 HIGH This Week

IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Entirex
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2024-49352 HIGH PATCH This Week

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Cognos Analytics
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-52807 Maven HIGH PATCH This Month

The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
EPSS 0% CVSS 5.0
MEDIUM This Month

Kivitendo before 3.9.2 allows XXE injection. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 86% 7.2 CVSS 8.2
HIGH POC KEV PATCH THREAT Act Now

GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks.

XXE Geoserver
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Month

PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Denial Of Service Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A weakness has been identified in bestfeng oa_git_free up to 9.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub VulDB
EPSS 51% 4.7 CVSS 8.4
HIGH POC THREAT Act Now

N-able N-central remote monitoring and management platform versions before 2025.4 contain multiple XML External Entity injection vulnerabilities. Attackers can exploit these to read sensitive files from the RMM server, including configuration files containing credentials for all managed endpoints.

XXE Information Disclosure N Central
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Red Hat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Month

A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF Metinfo
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Api Control Plane Api Manager +6
NVD
EPSS 0% CVSS 7.1
HIGH This Month

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Infosphere Information Server
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

XXE Jinher Oa
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.

XXE Denial Of Service Splunk Cloud Platform +1
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Dataspider Servista
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was determined in Jinher OA 2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in Jinher OA 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL This Week

A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in Jinher OA up to 1.2. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in Jinher OA up to 1.2. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub VulDB
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Langchain +2
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Path Traversal
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 before 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08 allows an authenticated, unprivileged attacker to achieve. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Privilege Escalation Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Month

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Apache +2
NVD
EPSS 0% CVSS 8.2
HIGH This Month

Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

XXE Microsoft Windows
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Dell CloudLink, versions 8.0 through 8.1.1, contains an Improper Restriction of XML External Entity Reference vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Dell Denial Of Service XXE +2
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

A vulnerability has been identified in SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

OpenKilda is an open-source OpenFlow controller. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Month

In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Freeflow Core
NVD
EPSS 0% CVSS 8.6
HIGH POC This Month

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Adobe Experience Manager Forms
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in Jinher OA 1.1. It has been rated as problematic. This issue affects some unknown processing of the file XmlHttp.aspx. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

XXE Jinher Oa
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in Jinher OA 1.2. It has been declared as problematic. This vulnerability affects unknown code of the file ProjectScheduleDelete.aspx. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

XXE Jinher Oa
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

XML External Entity (XXE) injection in agorum core open's RSSReader endpoint enables remote attackers to exfiltrate sensitive server-side data by submitting crafted XML payloads. Affected versions are v11.9.2 and v11.10.1 of this document management platform. EPSS exploitation probability sits at 0.22% (13th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA's KEV catalog - indicating low observed exploitation pressure despite the network-accessible, unauthenticated attack surface described by the CVSS vector.

XXE Information Disclosure
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Apache Jackrabbit versions prior to 2.23.2 contain blind XXE (XML External Entity) vulnerabilities in jackrabbit-spi-commons and jackrabbit-core components due to unsafe XML document parsing when loading privilege definitions. An authenticated attacker with low privileges can exploit this to achieve high-impact confidentiality, integrity, and availability compromise. The vulnerability requires user authentication (PR:L) but has no interaction requirement and affects all systems regardless of scope.

XXE Apache Java +3
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

CVE-2025-7523 is an XML External Entity (XXE) injection vulnerability in Jinher OA 1.0 affecting the /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx endpoint. An unauthenticated remote attacker can exploit this to read sensitive files, modify data, or cause denial of service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

CVE-2025-6438 is a security vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

XXE
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.

XXE Coldfusion
NVD
EPSS 0% CVSS 4.5
MEDIUM This Month

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

XXE Coldfusion
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

XXE Denial Of Service Coldfusion
NVD
EPSS 1% CVSS 5.8
MEDIUM POC PATCH This Month

CVE-2025-49493 is a security vulnerability (CVSS 5.8) that allows file inclusion. Remediation should follow standard vulnerability management procedures.

XXE
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Allure 2 versions prior to 2.34.1 contain a critical XML External Entity (XXE) injection vulnerability in the xunit-xml-plugin that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem and potentially trigger SSRF attacks. The vulnerability stems from insecure XML parser configuration in the DocumentBuilderFactory and is exploitable by uploading or providing malicious test result XML files without any authentication or user interaction required.

XXE SSRF Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.

XXE SSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contain an XML External Entity (XXE) injection vulnerability that allows authenticated remote attackers to extract sensitive information or trigger denial-of-service conditions through memory exhaustion. The vulnerability requires valid credentials (CVSS PR:L) but has a high confidentiality impact (C:H) and affects a critical security infrastructure product. No publicly available evidence of active exploitation or public POCs has been confirmed at this time.

XXE IBM Information Disclosure +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

CVE-2025-36049 is a security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.

XXE IBM Webmethods Integration
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Keyoti SearchUnit versions prior to 9.0.0 contain an XML External Entity (XXE) injection vulnerability that allows unauthenticated remote attackers to exfiltrate sensitive files from affected systems. The vulnerability has a CVSS 3.1 score of 7.5 (High) with a network attack vector, no privileges required, and no user interaction needed. While no public POC or active in-the-wild exploitation has been widely documented, the straightforward attack vector and high confidentiality impact make this a significant risk for organizations running vulnerable SearchUnit instances.

XXE
NVD
EPSS 8% CVSS 9.9
CRITICAL POC PATCH Act Now

A remote code execution vulnerability in GeoServer (CVSS 9.9) that allows users. Risk factors: public PoC available. Vendor patch is available.

XXE Geonetwork Geotools +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

CVE-2025-31039 is an XML External Entity (XXE) injection vulnerability in the Pixelgrade Category Icon WordPress plugin (versions through 1.0.2) that allows authenticated attackers with high privileges to read arbitrary files, execute remote code, or cause denial of service through improper XML entity validation. The vulnerability has a critical CVSS score of 9.1 but requires administrator-level privileges to exploit; active exploitation status and proof-of-concept availability are not confirmed from the provided intelligence.

XXE
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

CVE-2025-5877 is a security vulnerability (CVSS 6.3). Risk factors: public PoC available.

Microsoft PHP XXE
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Week

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XXE Information Disclosure Denial Of Service +3
NVD
EPSS 0% CVSS 8.7
HIGH This Month

XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Microsoft Windows
NVD
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Microsoft Java +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Sulu is an open-source PHP content management system based on the Symfony framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Month

A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Polarion Alm
NVD
EPSS 0% CVSS 8.6
HIGH This Month

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SAP Supplier Relationship Management
NVD
EPSS 25% 4.1 CVSS 9.3
CRITICAL POC THREAT Emergency

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.6%.

XXE Sysaid
NVD
EPSS 63% 6.7 CVSS 9.3
CRITICAL POC KEV THREAT Emergency

SysAid On-Prem contains a second unauthenticated XXE injection in Server URL processing, providing an alternative attack path to the Checkin XXE (CVE-2025-2775) for admin takeover.

XXE Sysaid
NVD
EPSS 70% 7.0 CVSS 9.3
CRITICAL POC KEV THREAT Emergency

SysAid On-Prem versions through 23.3.40 contain an unauthenticated XXE injection in the Checkin processing, enabling administrator account takeover and file read primitives.

XXE Sysaid
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Dell Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Langroid is a framework for building large-language-model-powered applications. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Langroid
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Api Manager
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Mailessentials
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 7.5
HIGH This Week

TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 before 11.0.2 allows remote attackers fetch and parse the XML response. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection.11.17. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Google
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in zhangyanbo2007 youkefu up to 4.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Youkefu
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

The XWiki JIRA extension provides various integration points between XWiki and JIRA (macros, UI, CKEditor plugin). Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Atlassian
NVD GitHub
EPSS 0% CVSS 8.4
HIGH POC This Week

There is a XXE in W3CSS Validator versions before cssval-20250226 that allows an attacker to use specially-crafted XML objects to coerce server-side request forgery (SSRF). Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF Css Validator
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM Monitor

In JetBrains GoLand before 2025.1 an XXE during debugging was possible. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Goland
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.0.8 (SP8). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 8.1
HIGH This Week

An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE RCE Java
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Aspera Shares
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

External XML entity injection allows arbitrary download of files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Privilege Escalation
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

An XML External Entity (XXE) vulnerability in the deserializeArgs() method of Java SDK for CloudEvents v4.0.1 allows attackers to access sensitive information via supplying a crafted XML-formatted. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Java
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Openpages With Watson
NVD
EPSS 0% CVSS 8.2
HIGH This Week

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE IBM Cognos Controller +1
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

RSA Authentication Manager before 8.7 SP2 Patch 1 allows XML External Entity (XXE) attacks via a license file, resulting in attacker-controlled files being stored on the product's server. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03.java of the component WXCallBack Interface. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Yimioa
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Entirex
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Cognos Analytics
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Month

The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
Prev Page 2 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy