Skip to main content

XXE

1231 CVEs technique

Monthly

CVE-2022-31447 HIGH POC This Week

An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Magicpin
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-22977 HIGH This Week

VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

VMware Information Disclosure Microsoft XXE Tools
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2022-31261 HIGH This Week

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Morpheus
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-29801 HIGH PATCH This Week

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Teamcenter
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-30971 Maven HIGH This Week

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Storable Configs
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-22774 CRITICAL Act Now

The DOM XML parser and SAX XML parser components of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Managed File Transfer Command Center Managed File Transfer Internet Server
NVD
CVSS 3.1
9.1
EPSS
0.9%
CVE-2022-28890 Maven CRITICAL PATCH Act Now

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved.4.0 and prior versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Jena
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2022-29943 MEDIUM This Month

Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Administration Center
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-1331 MEDIUM This Month

In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Dmars
NVD
CVSS 3.1
5.5
EPSS
0.8%
CVE-2022-21949 HIGH This Week

A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Open Build Service
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2022-29265 Maven HIGH PATCH This Week

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
CVSS 3.1
7.5
EPSS
2.4%
CVE-2022-24449 CRITICAL Act Now

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Solar Appscreener
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-24898 Maven MEDIUM POC PATCH This Month

org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Commons
NVD GitHub
CVSS 3.1
4.9
EPSS
1.4%
CVE-2022-0272 Maven CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Detekt
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-0221 MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Scadapack Workbench
NVD
CVSS 3.1
5.5
EPSS
0.9%
CVE-2022-28219 CRITICAL POC PATCH THREAT Act Now

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho RCE XXE Manageengine Adaudit Plus
NVD
CVSS 3.1
9.8
EPSS
97.0%
CVE-2022-1018 MEDIUM PATCH This Month

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Connected Components Workbench Isagraf Safety Instrumented Systems Workstation
NVD
CVSS 3.1
5.5
EPSS
2.1%
CVE-2022-28155 Maven HIGH This Week

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Pipeline
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2022-28154 Maven HIGH This Week

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Coverage Complexity Scatter Plot
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2022-28140 Maven HIGH PATCH This Week

Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Flaky Test Handler
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2022-0861 LOW Monitor

A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Epolicy Orchestrator
NVD
CVSS 3.1
3.8
EPSS
0.4%
CVE-2022-27193 PyPI MEDIUM PATCH This Month

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Cvrf Csaf Converter
NVD GitHub
CVSS 3.1
5.5
EPSS
0.7%
CVE-2022-26661 PyPI MEDIUM POC PATCH This Month

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Proteus Trytond Debian Linux
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2022-22835 MEDIUM POC THREAT This Month

An issue was discovered in OverIT Geocall before version 8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Geocall
NVD
CVSS 3.1
6.5
EPSS
14.5%
CVE-2022-22795 CRITICAL Act Now

Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft XXE Manager Agents
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-25312 Maven CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XXE Any23
NVD
CVSS 3.1
9.1
EPSS
2.8%
CVE-2022-0839 Maven CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Liquibase Sqlcl
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2022-0265 Maven CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Hazelcast
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2022-23640 Maven CRITICAL PATCH Act Now

Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Excel Streaming Reader
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-24340 CRITICAL Act Now

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-21282 MEDIUM This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Oracle Java Graalvm Jdk +17
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2022-0239 Maven CRITICAL POC PATCH GHSA Act Now

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2021-44028 MEDIUM This Month

XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Kace Desktop Authority
NVD
CVSS 3.1
5.5
EPSS
3.0%
CVE-2021-45096 MEDIUM This Month

KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Knime Analytics Platform
NVD GitHub
CVSS 3.1
4.3
EPSS
1.1%
CVE-2021-3836 MEDIUM POC PATCH This Month

dbeaver is vulnerable to Improper Restriction of XML External Entity Reference. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

XXE Dbeaver
NVD GitHub
CVSS 3.1
5.5
EPSS
0.9%
CVE-2021-23463 Maven CRITICAL POC PATCH Act Now

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE H2
NVD GitHub
CVSS 3.1
9.1
EPSS
3.3%
CVE-2021-44557 CRITICAL PATCH Act Now

National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Multiner
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2021-44556 CRITICAL PATCH Act Now

National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Digger
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2021-42776 HIGH This Week

CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cloverdx
NVD
CVSS 3.1
7.7
EPSS
0.8%
CVE-2021-44147 MEDIUM POC This Month

An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Filemaker Pro Filemaker Server
NVD
CVSS 3.1
5.5
EPSS
1.1%
CVE-2021-43577 Maven HIGH PATCH This Week

Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Owasp Dependency Check
NVD
CVSS 3.1
7.1
EPSS
1.0%
CVE-2021-43576 Maven MEDIUM This Month

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Jenkins XXE Pom2Config
NVD
CVSS 3.1
6.5
EPSS
2.4%
CVE-2021-21701 Maven MEDIUM This Month

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Performance
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-36172 HIGH This Week

An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Fortiportal
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-38948 CRITICAL PATCH Act Now

IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XXE Infosphere Information Server
NVD
CVSS 3.1
9.1
EPSS
2.0%
CVE-2021-20839 MEDIUM PATCH This Month

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Denial Of Service XXE Office Server Document Converter
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-20838 HIGH PATCH This Week

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Denial Of Service XXE Office Server Document Converter
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-25912 CRITICAL POC Act Now

A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure XXE Denial Of Service PHP Symphony
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
1.4%
CVE-2021-3869 Maven HIGH POC PATCH This Week

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-3878 Maven CRITICAL POC PATCH Act Now

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-20801 MEDIUM This Month

Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla XXE Remote Service Manager
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-35496 HIGH This Week

The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server -. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft XXE Jasperreports Server
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2021-40500 HIGH This Week

SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-3312 Maven MEDIUM POC PATCH This Month

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Opencms
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2021-38298 CRITICAL Act Now

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XXE Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-40439 MEDIUM This Month

Apache OpenOffice has a dependency on expat software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service XXE Openoffice
NVD
CVSS 3.1
6.5
EPSS
3.4%
CVE-2021-41770 HIGH This Week

Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Pingfederate
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-34706 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco SSRF XXE Identity Services Engine
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-35201 MEDIUM This Month

NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ngeniusone
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-41098 Ruby HIGH PATCH This Week

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Nokogiri
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-29831 HIGH PATCH This Week

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Jazz For Service Management Tivoli Netcool Omnibus Gui
NVD
CVSS 3.1
8.1
EPSS
1.4%
CVE-2021-39239 Maven HIGH PATCH This Week

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Jena
NVD
CVSS 3.1
7.5
EPSS
4.3%
CVE-2021-30137 HIGH POC This Week

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Assyst
NVD GitHub
CVSS 3.1
8.2
EPSS
0.8%
CVE-2021-40356 HIGH PATCH This Week

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Teamcenter Visualization
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-38555 Maven CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Any23
NVD
CVSS 3.1
9.1
EPSS
2.8%
CVE-2021-3055 MEDIUM This Month

An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Paloalto Pan Os
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-34436 CRITICAL Act Now

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal XXE Theia
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2021-21680 Maven HIGH PATCH This Week

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Nested View
NVD
CVSS 3.1
7.1
EPSS
1.3%
CVE-2021-39371 PyPI HIGH PATCH This Week

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Owslib Pywps Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-34823 CRITICAL Act Now

The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XXE Screenshare
NVD
CVSS 3.1
9.1
EPSS
2.0%
CVE-2021-27741 CRITICAL Act Now

" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection". Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Hcl Commerce
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2021-38584 HIGH This Week

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cpanel
NVD
CVSS 3.1
7.2
EPSS
0.9%
CVE-2021-37425 CRITICAL POC THREAT Act Now

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Mobiletogether Server
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
66.3%
CVE-2021-37178 MEDIUM This Month

A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Solid Edge Se2021 Firmware
NVD
CVSS 3.1
5.5
EPSS
0.9%
CVE-2021-1630 HIGH This Week

XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mule
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-23418 PyPI CRITICAL POC PATCH Act Now

The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Glances
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-20399 CRITICAL PATCH Act Now

IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Qradar Security Information And Event Manager
NVD
CVSS 3.1
9.1
EPSS
1.8%
CVE-2021-22523 HIGH This Week

XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Verastream Host Integrator
NVD
CVSS 3.1
7.6
EPSS
0.8%
CVE-2021-2401 MEDIUM This Month

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Oracle XXE Bi Publisher
NVD
CVSS 3.1
5.3
EPSS
84.8%
CVE-2021-20595 HIGH This Week

Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE G 50A Firmware Gb 50A Firmware Ag 150A A Firmware Ag 150A J Firmware +15
NVD
CVSS 3.1
8.2
EPSS
1.8%
CVE-2021-32754 MEDIUM This Month

FlowDroid is a data flow analysis tool. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

XXE Flowdroid
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2021-30201 HIGH POC PATCH THREAT This Week

The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Vsa
NVD
CVSS 3.1
7.5
EPSS
25.4%
CVE-2021-32972 MEDIUM This Month

Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Fpwin Pro
NVD
CVSS 3.1
5.5
EPSS
0.7%
CVE-2021-21672 Maven MEDIUM PATCH This Month

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Selenium Html Report
NVD
CVSS 3.1
4.3
EPSS
42.5%
CVE-2021-25951 PyPI HIGH POC This Week

XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Xml2Dict
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-22338 MEDIUM This Month

There is an XXE injection vulnerability in eCNS280 V100R005C00 and V100R005C10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Ecns280 Firmware
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2021-29620 Maven HIGH PATCH This Week

Report portal is an open source reporting and analysis framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Service Api
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2021-35066 CRITICAL Act Now

An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Automate
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2021-28684 MEDIUM POC This Month

The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Powerarchiver
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-21669 Maven CRITICAL PATCH Act Now

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Generic Webhook Trigger
NVD
CVSS 3.1
9.8
EPSS
25.7%
EPSS 1% CVSS 7.5
HIGH POC This Week

An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Magicpin
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

VMware Information Disclosure Microsoft +2
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Morpheus
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Teamcenter
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Storable Configs
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

The DOM XML parser and SAX XML parser components of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Managed File Transfer Command Center Managed File Transfer Internet Server
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved.4.0 and prior versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Jena
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Administration Center
NVD
EPSS 1% CVSS 5.5
MEDIUM This Month

In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Dmars
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Open Build Service
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Solar Appscreener
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC PATCH This Month

org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Commons
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Detekt
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Scadapack Workbench
NVD
EPSS 97% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho RCE XXE +1
NVD
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Connected Components Workbench Isagraf +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Pipeline
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Coverage Complexity Scatter Plot
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Flaky Test Handler
NVD
EPSS 0% CVSS 3.8
LOW Monitor

A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Epolicy Orchestrator
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Cvrf Csaf Converter
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Proteus Trytond +1
NVD
EPSS 14% CVSS 6.5
MEDIUM POC THREAT This Month

An issue was discovered in OverIT Geocall before version 8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Geocall
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft XXE Manager Agents
NVD
EPSS 3% CVSS 9.1
CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XXE Any23
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Liquibase Sqlcl
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Hazelcast
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Excel Streaming Reader
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Oracle Java +19
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
EPSS 3% CVSS 5.5
MEDIUM This Month

XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Kace Desktop Authority
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Knime Analytics Platform
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

dbeaver is vulnerable to Improper Restriction of XML External Entity Reference. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

XXE Dbeaver
NVD GitHub
EPSS 3% CVSS 9.1
CRITICAL POC PATCH Act Now

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE H2
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Multiner
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Digger
NVD GitHub
EPSS 1% CVSS 7.7
HIGH This Week

CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cloverdx
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Filemaker Pro +1
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Owasp Dependency Check
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Jenkins XXE +1
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Performance
NVD
EPSS 1% CVSS 8.1
HIGH This Week

An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Fortiportal
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XXE Infosphere Information Server
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Denial Of Service XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Denial Of Service XXE +1
NVD
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure XXE Denial Of Service +2
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla XXE Remote Service Manager
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server -. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft XXE Jasperreports Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE SAP +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Opencms
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XXE Manageengine Admanager Plus
NVD
EPSS 3% CVSS 6.5
MEDIUM This Month

Apache OpenOffice has a dependency on expat software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Pingfederate
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco SSRF XXE +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ngeniusone
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Nokogiri
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Jazz For Service Management +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Jena
NVD
EPSS 1% CVSS 8.2
HIGH POC This Week

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Assyst
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Teamcenter Visualization
NVD
EPSS 3% CVSS 9.1
CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Any23
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Paloalto +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal XXE +1
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Nested View
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Owslib Pywps +1
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL Act Now

The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XXE Screenshare
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection". Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Hcl Commerce
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cpanel
NVD
EPSS 66% CVSS 9.1
CRITICAL POC THREAT Act Now

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Mobiletogether Server
NVD Exploit-DB
EPSS 1% CVSS 5.5
MEDIUM This Month

A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Solid Edge Se2021 Firmware
NVD
EPSS 1% CVSS 7.5
HIGH This Week

XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mule
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Glances
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Qradar Security Information And Event Manager
NVD
EPSS 1% CVSS 7.6
HIGH This Week

XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Verastream Host Integrator
NVD
EPSS 85% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Oracle XXE Bi Publisher
NVD
EPSS 2% CVSS 8.2
HIGH This Week

Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE G 50A Firmware Gb 50A Firmware +17
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

FlowDroid is a data flow analysis tool. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

XXE Flowdroid
NVD GitHub
EPSS 25% CVSS 7.5
HIGH POC PATCH THREAT This Week

The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Vsa
NVD
EPSS 1% CVSS 5.5
MEDIUM This Month

Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Fpwin Pro
NVD
EPSS 43% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Selenium Html Report
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Xml2Dict
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

There is an XXE injection vulnerability in eCNS280 V100R005C00 and V100R005C10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Ecns280 Firmware
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Report portal is an open source reporting and analysis framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Service Api
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Automate
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Powerarchiver
NVD
EPSS 26% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Generic Webhook Trigger
NVD
Prev Page 6 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy