Skip to main content

XXE

1231 CVEs technique

Monthly

CVE-2024-42185 LOW Monitor

BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks. Rated low severity (CVSS 2.5). No vendor patch available.

XXE Authentication Bypass Denial Of Service
NVD
CVSS 3.1
2.5
EPSS
0.1%
CVE-2025-23195 HIGH This Month

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Ambari
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-12476 HIGH This Month

cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific crafted XML file is imported in the Web Designer. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE XXE Information Disclosure
NVD
CVSS 4.0
8.4
EPSS
0.2%
CVE-2024-12298 MEDIUM This Month

We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-35532 CRITICAL This Week

An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea 2022.12, 2022.13, and 2022.14 allows attackers to perform arbitrary file reading under the privileges of the running. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Buffer Overflow Denial Of Service Information Disclosure SSRF
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-46603 HIGH This Month

An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service G5Dfr Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-46602 HIGH This Month

An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service G5Dfr Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-56324 LOW PATCH Monitor

GoCD is a continuous deliver server. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE SSRF Information Disclosure Path Traversal Gocd
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2024-56322 LOW PATCH Monitor

GoCD is a continuous deliver server. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Gocd
NVD GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2024-40896 CRITICAL Act Now

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Libxml2 Hci Compute Node Solidfire Hci Management Node Solidfire Hci Storage Node +5
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2024-56356 HIGH This Week

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-55081 CRITICAL POC Act Now

An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-55887 Maven HIGH PATCH This Week

Ucum-java is a FHIR Java library providing UCUM Services. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
CVSS 3.1
8.6
EPSS
0.5%
CVE-2024-55875 Maven CRITICAL POC PATCH GHSA Act Now

http4k is a functional toolkit for Kotlin HTTP applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF RCE XXE Information Disclosure
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
7.2%
CVE-2024-49064 MEDIUM This Month

Microsoft SharePoint Information Disclosure Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Microsoft Sharepoint Server
NVD
CVSS 3.1
6.5
EPSS
2.6%
CVE-2024-49535 MEDIUM This Month

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe XXE Acrobat Acrobat Dc Acrobat Reader +1
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2024-54005 MEDIUM This Month

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 4.0
5.9
EPSS
0.2%
CVE-2024-49704 MEDIUM This Month

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 4.0
5.7
EPSS
0.2%
CVE-2024-47582 MEDIUM This Month

Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-46455 LIB CRITICAL PATCH Act Now

unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-52806 PHP HIGH PATCH This Week

SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XXE
NVD GitHub
CVSS 3.1
8.3
EPSS
0.4%
CVE-2024-52596 PHP HIGH PATCH This Week

SimpleSAMLphp xml-common is a common classes for handling XML-structures. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 4.0
8.8
EPSS
1.0%
CVE-2024-52800 Maven LOW PATCH Monitor

veraPDF is an open source PDF/A validation library. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE
NVD GitHub
CVSS 4.0
2.3
EPSS
1.1%
CVE-2024-9044 MEDIUM This Month

A XML External Entity (XXE) vulnerability has been identified in Easy Tax Client Software 2023 1.2 and earlier across multiple platforms, including Windows, Linux, and macOS. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple XXE Microsoft
NVD
CVSS 4.0
4.6
EPSS
0.2%
CVE-2024-53675 HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
CVSS 3.1
7.5
EPSS
83.9%
CVE-2024-53674 HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
CVSS 3.1
7.5
EPSS
47.4%
CVE-2024-11622 HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-50848 MEDIUM This Month

An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Worldserver
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2024-48917 PHP HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-47873 PHP HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-39726 HIGH This Week

IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Engineering Lifecycle Optimization Engineering Insights
NVD
CVSS 3.1
8.2
EPSS
0.7%
CVE-2024-5919 MEDIUM This Month

A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Paloalto XXE Pan Os
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2024-10218 CRITICAL Act Now

XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS XXE
NVD
CVSS 4.0
9.2
EPSS
0.5%
CVE-2024-51135 Maven CRITICAL Act Now

An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive information or execute arbitrary code via supplying a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS XXE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-52007 Maven HIGH PATCH This Week

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
8.6
EPSS
0.9%
CVE-2024-10839 HIGH This Week

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho XXE Microsoft Manageengine Sharepoint Manager Plus
NVD
CVSS 3.1
8.1
EPSS
1.5%
CVE-2024-20531 MEDIUM This Month

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Cisco XXE Identity Services Engine
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-51132 Maven CRITICAL POC PATCH Act Now

An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-45086 MEDIUM This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2024-51136 CRITICAL POC Act Now

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE Openimaj
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-50442 MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows XML Injection.3.980. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-4690 MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Application Automation Tools
NVD
CVSS 4.0
5.1
EPSS
0.4%
CVE-2024-4189 MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

XXE Application Automation Tools
NVD
CVSS 4.0
5.9
EPSS
0.4%
CVE-2024-4184 MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

XXE Application Automation Tools
NVD
CVSS 4.0
5.9
EPSS
0.4%
CVE-2024-45072 MEDIUM This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2024-21255 HIGH This Week

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: XMLPublisher). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Oracle Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-8602 MEDIUM This Month

When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Denial Of Service
NVD
CVSS 4.0
6.3
EPSS
0.4%
CVE-2024-28168 Maven HIGH PATCH This Week

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Formatting Objects Processor
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-39586 MEDIUM This Month

Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Dell XXE Emc Appsync
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-45293 PHP HIGH POC PATCH This Week

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure XXE Phpspreadsheet
NVD GitHub
CVSS 3.1
7.5
EPSS
2.9%
CVE-2024-45745 MEDIUM This Month

TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Topbraid Edg
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-46985 Maven HIGH POC PATCH This Week

DataEase is an open source data visualization analysis tool. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Dataease
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-46984 Maven CRITICAL PATCH Act Now

The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Reference Validator
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-7098 CRITICAL Act Now

Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.Winsure: before 4.6.2. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Winsure
NVD VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2024-37397 HIGH This Week

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Endpoint Manager
NVD
CVSS 3.1
8.2
EPSS
59.3%
CVE-2024-45294 Maven HIGH PATCH This Week

The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
CVSS 3.1
8.6
EPSS
1.0%
CVE-2024-45490 HIGH PATCH This Week

An issue was discovered in libexpat before 2.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Libexpat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-45048 PHP MEDIUM POC PATCH This Month

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XXE Phpspreadsheet
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-22219 MEDIUM This Month

XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF RCE XXE
NVD
CVSS 3.1
6.3
EPSS
0.5%
CVE-2024-22218 HIGH This Week

XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF RCE XXE
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-38653 HIGH POC THREAT This Week

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Avalanche
NVD
CVSS 3.1
7.5
EPSS
92.0%
CVE-2024-6893 HIGH POC THREAT This Week

The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Journyx
NVD
CVSS 3.1
7.5
EPSS
32.9%
CVE-2024-3930 CRITICAL Act Now

In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Akana Api
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-40075 MEDIUM This Month

Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2024-6961 PyPI MEDIUM PATCH MAL This Month

RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-5625 MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.05.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-38374 Maven HIGH PATCH This Week

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-28982 HIGH This Week

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Pentaho Business Analytics Server
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-27142 MEDIUM This Month

Toshiba printers use XML communication for the API endpoint provided by the printer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
CVSS 3.1
5.9
EPSS
0.9%
CVE-2024-27141 MEDIUM This Month

Toshiba printers use XML communication for the API endpoint provided by the printer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
CVSS 3.1
5.9
EPSS
1.1%
CVE-2024-34102 PHP CRITICAL POC KEV PATCH THREAT Act Now

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Adobe XXE Commerce Commerce Webhooks +1
NVD
CVSS 3.1
9.8
EPSS
100.0%
CVE-2024-37388 PyPI CRITICAL PATCH Act Now

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Ebookmeta
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-36827 PyPI HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Ebookmeta
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-3969 CRITICAL Act Now

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE Imanager
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-4357 MEDIUM This Month

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE Telerik Reporting
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-3486 CRITICAL Act Now

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Information Disclosure XXE Imanager
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-30043 HIGH This Week

Microsoft SharePoint Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Microsoft Sharepoint Server
NVD
CVSS 3.1
7.5
EPSS
54.7%
CVE-2024-34345 npm HIGH PATCH This Week

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.9%
CVE-2024-29010 HIGH This Week

The XML document processed in the GMS ECM URL endpoint is vulnerable to XML external entity (XXE) injection, potentially resulting in the disclosure of sensitive information.3.4 and earlier versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
7.1
EPSS
0.6%
CVE-2024-22354 HIGH This Week

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM SSRF XXE Websphere Application Server
NVD
CVSS 3.1
7.0
EPSS
0.6%
CVE-2024-21082 CRITICAL Act Now

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Oracle Bi Publisher
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-21048 MEDIUM This Month

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: XML input). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Oracle Web Applications Desktop Integrator
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-3572 PyPI HIGH POC PATCH This Week

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Denial Of Service Scrapy
NVD GitHub
CVSS 3.0
7.5
EPSS
0.8%
CVE-2024-25971 MEDIUM This Month

Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Dell XXE Powerprotect Data Manager
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-31139 HIGH This Week

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-1455 PyPI MEDIUM POC PATCH This Month

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XXE Denial Of Service Langchain
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2024-2826 HIGH POC This Week

A vulnerability classified as problematic was found in lakernote EasyAdmin up to 20240315. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Easyadmin
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-28039 MEDIUM This Month

Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
5.8
EPSS
0.7%
CVE-2024-27266 HIGH PATCH This Week

IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Maximo Application Suite
NVD
CVSS 3.1
8.2
EPSS
0.8%
CVE-2024-28198 HIGH PATCH This Week

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Openolat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
EPSS 0% CVSS 2.5
LOW Monitor

BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks. Rated low severity (CVSS 2.5). No vendor patch available.

XXE Authentication Bypass Denial Of Service
NVD
EPSS 0% CVSS 7.5
HIGH This Month

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Ambari
NVD
EPSS 0% CVSS 8.4
HIGH This Month

cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific crafted XML file is imported in the Web Designer. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE XXE Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 9.1
CRITICAL This Week

An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea 2022.12, 2022.13, and 2022.14 allows attackers to perform arbitrary file reading under the privileges of the running. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Buffer Overflow Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Month

An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service G5Dfr Firmware
NVD
EPSS 0% CVSS 7.5
HIGH This Month

An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service G5Dfr Firmware
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

GoCD is a continuous deliver server. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE SSRF Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

GoCD is a continuous deliver server. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Gocd
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL Act Now

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Libxml2 Hci Compute Node +7
NVD
EPSS 0% CVSS 7.1
HIGH This Week

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Ucum-java is a FHIR Java library providing UCUM Services. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

http4k is a functional toolkit for Kotlin HTTP applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF RCE XXE +1
NVD GitHub VulDB
EPSS 3% CVSS 6.5
MEDIUM This Month

Microsoft SharePoint Information Disclosure Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Microsoft +1
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe XXE Acrobat +3
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XXE
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

SimpleSAMLphp xml-common is a common classes for handling XML-structures. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 2.3
LOW PATCH Monitor

veraPDF is an open source PDF/A validation library. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

A XML External Entity (XXE) vulnerability has been identified in Easy Tax Client Software 2023 1.2 and earlier across multiple platforms, including Windows, Linux, and macOS. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple XXE Microsoft
NVD
EPSS 84% CVSS 7.5
HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
EPSS 47% CVSS 7.5
HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
EPSS 2% CVSS 7.5
HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Worldserver
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
EPSS 1% CVSS 8.2
HIGH This Week

IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Engineering Lifecycle Optimization Engineering Insights
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Paloalto XXE Pan Os
NVD
EPSS 0% CVSS 9.2
CRITICAL Act Now

XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS XXE
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive information or execute arbitrary code via supplying a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS XXE
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho XXE Microsoft +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Cisco XXE +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE Openimaj
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows XML Injection.3.980. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Elementor
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Application Automation Tools
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

XXE Application Automation Tools
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

XXE Application Automation Tools
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: XMLPublisher). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Oracle Peoplesoft Enterprise Peopletools
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Denial Of Service
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Formatting Objects Processor
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Dell XXE +1
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure XXE +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Topbraid Edg
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

DataEase is an open source data visualization analysis tool. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Dataease
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Reference Validator
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL Act Now

Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.Winsure: before 4.6.2. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Winsure
NVD VulDB
EPSS 59% CVSS 8.2
HIGH This Week

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Endpoint Manager
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in libexpat before 2.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Libexpat
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XXE Phpspreadsheet
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF RCE XXE
NVD
EPSS 1% CVSS 8.8
HIGH This Week

XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF RCE XXE
NVD
EPSS 92% CVSS 7.5
HIGH POC THREAT This Week

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Avalanche
NVD
EPSS 33% CVSS 7.5
HIGH POC THREAT This Week

The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Journyx
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Akana Api
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.05.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Pentaho Business Analytics Server
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

Toshiba printers use XML communication for the API endpoint provided by the printer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

Toshiba printers use XML communication for the API endpoint provided by the printer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Adobe XXE +3
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Ebookmeta
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Ebookmeta
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE Imanager
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE Telerik Reporting
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Information Disclosure XXE +1
NVD
EPSS 55% CVSS 7.5
HIGH This Week

Microsoft SharePoint Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Microsoft +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 7.1
HIGH This Week

The XML document processed in the GMS ECM URL endpoint is vulnerable to XML external entity (XXE) injection, potentially resulting in the disclosure of sensitive information.3.4 and earlier versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 1% CVSS 7.0
HIGH This Week

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM SSRF XXE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Oracle Bi Publisher
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: XML input). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Oracle Web Applications Desktop Integrator
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Denial Of Service Scrapy
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Dell XXE +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XXE Denial Of Service Langchain
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability classified as problematic was found in lakernote EasyAdmin up to 20240315. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Easyadmin
NVD VulDB
EPSS 1% CVSS 5.8
MEDIUM This Month

Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 8.2
HIGH PATCH This Week

IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Maximo Application Suite
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Openolat
NVD GitHub
Prev Page 3 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy