Skip to main content

XML External Entity Injection

web HIGH

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions.

How It Works

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions. When an application accepts XML input, an attacker can inject a malicious DOCTYPE declaration containing external entity references. These entities instruct the parser to fetch content from arbitrary locations—either local files on the server or remote URLs.

The attack begins with crafting XML that defines an external entity, such as <!ENTITY xxe SYSTEM "file:///etc/passwd">, then references it within the document body using &xxe;. When the parser processes this XML, it automatically resolves the entity, reading the specified file and incorporating its contents into the parsed output. Attackers can retrieve this data directly if it's reflected in responses, or use out-of-band techniques when the application doesn't display parsed content.

Beyond basic file retrieval, XXE enables Server-Side Request Forgery by using HTTP/HTTPS URLs in entity declarations, allowing attackers to probe internal networks. Parameter entities create "blind XXE" scenarios where data is exfiltrated through DNS queries or HTTP requests to attacker-controlled servers. The attack surface extends beyond obvious XML endpoints—SVG images, Microsoft Office documents (DOCX/XLSX), and SOAP services all contain XML that parsers process, often without developer awareness.

Impact

  • Arbitrary file disclosure: Read sensitive files like /etc/passwd, application configuration files, source code, or SSH keys
  • Server-Side Request Forgery: Scan internal networks, access cloud metadata services (AWS EC2 metadata), or interact with internal APIs
  • Denial of Service: Exponential entity expansion attacks (Billion Laughs) consume memory and CPU, crashing applications
  • Remote code execution: In specific configurations with expect:// protocol handlers or through PHP's phar:// wrapper exploitation
  • Authentication bypass: Extract credential files or session tokens from filesystem

Real-World Examples

The Facebook career site XXE vulnerability (2014) allowed attackers to read arbitrary files from internal servers by uploading malicious DOCX resumes. The XML contained within the Office document format was parsed without entity restrictions, exposing internal file contents.

Google's XML parsing infrastructure suffered from XXE in several products including Google Toolbar and Google Mini search appliance, where attackers could retrieve configuration files and access internal network resources through crafted XML requests.

Cisco's Security Manager (CVE-2018-15379) contained an XXE vulnerability in its SOAP interface that permitted unauthenticated attackers to read arbitrary files with root privileges. Attackers exploited this by sending specially crafted SOAP messages containing external entity declarations to the management interface.

Mitigation

  • Disable external entity processing entirely in XML parser configuration (setFeature("http://apache.org/xml/features/disallow-doctype-decl", true))
  • Disable DTD processing if external entities can't be disabled (setFeature("http://xml.org/sax/features/external-general-entities", false))
  • Use JSON instead of XML for APIs and data interchange when possible
  • Implement allowlisting for XML schemas and reject documents with DOCTYPE declarations
  • Apply strict input validation on content-type headers to prevent forced XML parsing
  • Use less complex XML parsers or dedicated security-focused parsing libraries
  • Run XML processing in sandboxed environments with restricted filesystem and network access

Recent CVEs (1231)

EPSS 0% CVSS 2.5
LOW Monitor

BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks. Rated low severity (CVSS 2.5). No vendor patch available.

XXE Authentication Bypass Denial Of Service
NVD
EPSS 0% CVSS 7.5
HIGH This Month

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Ambari
NVD
EPSS 0% CVSS 8.4
HIGH This Month

cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific crafted XML file is imported in the Web Designer. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE XXE Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 9.1
CRITICAL This Week

An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea 2022.12, 2022.13, and 2022.14 allows attackers to perform arbitrary file reading under the privileges of the running. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Buffer Overflow Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Month

An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service G5Dfr Firmware
NVD
EPSS 0% CVSS 7.5
HIGH This Month

An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service G5Dfr Firmware
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

GoCD is a continuous deliver server. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE SSRF Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

GoCD is a continuous deliver server. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Gocd
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL Act Now

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Libxml2 Hci Compute Node +7
NVD
EPSS 0% CVSS 7.1
HIGH This Week

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Ucum-java is a FHIR Java library providing UCUM Services. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

http4k is a functional toolkit for Kotlin HTTP applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF RCE XXE +1
NVD GitHub VulDB
EPSS 3% CVSS 6.5
MEDIUM This Month

Microsoft SharePoint Information Disclosure Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Microsoft +1
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe XXE Acrobat +3
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XXE
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

SimpleSAMLphp xml-common is a common classes for handling XML-structures. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 2.3
LOW PATCH Monitor

veraPDF is an open source PDF/A validation library. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

A XML External Entity (XXE) vulnerability has been identified in Easy Tax Client Software 2023 1.2 and earlier across multiple platforms, including Windows, Linux, and macOS. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple XXE Microsoft
NVD
EPSS 84% CVSS 7.5
HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
EPSS 47% CVSS 7.5
HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
EPSS 2% CVSS 7.5
HIGH This Week

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Insight Remote Support
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Worldserver
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
EPSS 1% CVSS 8.2
HIGH This Week

IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Engineering Lifecycle Optimization Engineering Insights
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Paloalto XXE Pan Os
NVD
EPSS 0% CVSS 9.2
CRITICAL Act Now

XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS XXE
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive information or execute arbitrary code via supplying a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS XXE
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho XXE Microsoft +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Cisco XXE +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE Openimaj
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows XML Injection.3.980. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Elementor
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Application Automation Tools
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

XXE Application Automation Tools
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.1.0 and below. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

XXE Application Automation Tools
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: XMLPublisher). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Oracle Peoplesoft Enterprise Peopletools
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Denial Of Service
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Formatting Objects Processor
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Dell XXE +1
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure XXE +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Topbraid Edg
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

DataEase is an open source data visualization analysis tool. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Dataease
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Reference Validator
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL Act Now

Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.Winsure: before 4.6.2. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Winsure
NVD VulDB
EPSS 59% CVSS 8.2
HIGH This Week

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Endpoint Manager
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in libexpat before 2.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Libexpat
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XXE Phpspreadsheet
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF RCE XXE
NVD
EPSS 1% CVSS 8.8
HIGH This Week

XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF RCE XXE
NVD
EPSS 92% CVSS 7.5
HIGH POC THREAT This Week

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Avalanche
NVD
EPSS 33% CVSS 7.5
HIGH POC THREAT This Week

The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Journyx
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Akana Api
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.05.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Pentaho Business Analytics Server
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

Toshiba printers use XML communication for the API endpoint provided by the printer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

Toshiba printers use XML communication for the API endpoint provided by the printer. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Adobe XXE +3
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Ebookmeta
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Ebookmeta
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE Imanager
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE Telerik Reporting
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Information Disclosure XXE +1
NVD
EPSS 55% CVSS 7.5
HIGH This Week

Microsoft SharePoint Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Microsoft +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 7.1
HIGH This Week

The XML document processed in the GMS ECM URL endpoint is vulnerable to XML external entity (XXE) injection, potentially resulting in the disclosure of sensitive information.3.4 and earlier versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
NVD
EPSS 1% CVSS 7.0
HIGH This Week

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM SSRF XXE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Oracle Bi Publisher
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: XML input). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Oracle Web Applications Desktop Integrator
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Denial Of Service Scrapy
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Dell XXE +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XXE Denial Of Service Langchain
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability classified as problematic was found in lakernote EasyAdmin up to 20240315. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Easyadmin
NVD VulDB
EPSS 1% CVSS 5.8
MEDIUM This Month

Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
EPSS 1% CVSS 8.2
HIGH PATCH This Week

IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Maximo Application Suite
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Openolat
NVD GitHub
Prev Page 3 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1231

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy