Skip to main content

XML External Entity Injection

web HIGH

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions.

How It Works

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions. When an application accepts XML input, an attacker can inject a malicious DOCTYPE declaration containing external entity references. These entities instruct the parser to fetch content from arbitrary locations—either local files on the server or remote URLs.

The attack begins with crafting XML that defines an external entity, such as <!ENTITY xxe SYSTEM "file:///etc/passwd">, then references it within the document body using &xxe;. When the parser processes this XML, it automatically resolves the entity, reading the specified file and incorporating its contents into the parsed output. Attackers can retrieve this data directly if it's reflected in responses, or use out-of-band techniques when the application doesn't display parsed content.

Beyond basic file retrieval, XXE enables Server-Side Request Forgery by using HTTP/HTTPS URLs in entity declarations, allowing attackers to probe internal networks. Parameter entities create "blind XXE" scenarios where data is exfiltrated through DNS queries or HTTP requests to attacker-controlled servers. The attack surface extends beyond obvious XML endpoints—SVG images, Microsoft Office documents (DOCX/XLSX), and SOAP services all contain XML that parsers process, often without developer awareness.

Impact

  • Arbitrary file disclosure: Read sensitive files like /etc/passwd, application configuration files, source code, or SSH keys
  • Server-Side Request Forgery: Scan internal networks, access cloud metadata services (AWS EC2 metadata), or interact with internal APIs
  • Denial of Service: Exponential entity expansion attacks (Billion Laughs) consume memory and CPU, crashing applications
  • Remote code execution: In specific configurations with expect:// protocol handlers or through PHP's phar:// wrapper exploitation
  • Authentication bypass: Extract credential files or session tokens from filesystem

Real-World Examples

The Facebook career site XXE vulnerability (2014) allowed attackers to read arbitrary files from internal servers by uploading malicious DOCX resumes. The XML contained within the Office document format was parsed without entity restrictions, exposing internal file contents.

Google's XML parsing infrastructure suffered from XXE in several products including Google Toolbar and Google Mini search appliance, where attackers could retrieve configuration files and access internal network resources through crafted XML requests.

Cisco's Security Manager (CVE-2018-15379) contained an XXE vulnerability in its SOAP interface that permitted unauthenticated attackers to read arbitrary files with root privileges. Attackers exploited this by sending specially crafted SOAP messages containing external entity declarations to the management interface.

Mitigation

  • Disable external entity processing entirely in XML parser configuration (setFeature("http://apache.org/xml/features/disallow-doctype-decl", true))
  • Disable DTD processing if external entities can't be disabled (setFeature("http://xml.org/sax/features/external-general-entities", false))
  • Use JSON instead of XML for APIs and data interchange when possible
  • Implement allowlisting for XML schemas and reject documents with DOCTYPE declarations
  • Apply strict input validation on content-type headers to prevent forced XML parsing
  • Use less complex XML parsers or dedicated security-focused parsing libraries
  • Run XML processing in sandboxed environments with restricted filesystem and network access

Recent CVEs (1231)

EPSS 1% CVSS 5.5
MEDIUM This Month

The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Codeql Cli
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Digital Experience Platform Liferay Portal
NVD
EPSS 95% CVSS 8.3
HIGH POC THREAT This Week

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ivanti XXE Connect Secure +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE SAP +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Movitools Motionstudio
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Delivery Check System
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Deliverables Creation Support Tool
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Delivery Check System Electronic Delivery Item Inspection Support System
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Spreadsheet
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

fontTools is a library for manipulating fonts, written in Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XXE Fonttools
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jenkins Web Application Screening
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jenkins Policy Compliance
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE RCE +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Unified Remote
NVD Exploit-DB
EPSS 4% CVSS 9.8
CRITICAL Act Now

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Avalanche
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Wps
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Api Manager Api Manager Analytics +5
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Repox
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XXE Memory Analyzer
NVD
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal XXE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.2.0 before 2.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Cocoon
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Matlab
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe XXE Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Siemens Siemens Opc Ua Modeling Editor
NVD
EPSS 0% CVSS 5.0
MEDIUM POC PATCH This Month

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. Public exploit code available.

XXE Eclipse Ide Org Eclipse Core Runtime +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Topografix Data Plugin +3
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE E Tax
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Opencrx
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Dell Unity Operating Environment +2
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Cx Designer
NVD
EPSS 4% CVSS 7.5
HIGH KEV THREAT This Week

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Proself
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Microsoft +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Ktor
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

FD Application Apr. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Fd Application
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti SSRF XXE +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. No vendor patch available.

XXE Assistant Client
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE S 4 Hana
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Job Configuration History
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Job Configuration History
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE IBM Financial Transaction Manager
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE C2132 Firmware +80
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Eclipse Leshan is a device management server and client Java implementation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Leshan
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Realgimm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

An issue was discovered in Esoteric YamlBeans through 1.15. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Yamlbeans
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity.

XXE Horizon Meridian
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity.

XXE Horizon Meridian
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Fedora +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Ivanti Avalanche decodeToMap XML External Entity Processing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Avalanche
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

RCE XXE Microsoft +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Unica application exposes an API which accepts arbitrary XML input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Unica
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Magritte Rest Source Bundle
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE J Wbem
NVD
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Kirby
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Applicant Programme
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Xbrl Data Create
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Android
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE External Monitor Job Type
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Ecostruxure Opc Ua Server Expert
NVD
EPSS 3% CVSS 4.9
MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Admanager Plus
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Xclarity Administrator
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Hutool
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Arcsight Logger
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Frenic Rhc Loader
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <!. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE Xml Library
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Splunk Denial Of Service XXE +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE E Cology
NVD GitHub VulDB
EPSS 1% CVSS 4.9
MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF +1
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE Opc Factory Server
NVD
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Websphere Application Server
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Shinseiyo Sogo Soft
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Authentication Bypass Ms N5008 Uc Firmware +20
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ms N5008 Uc Firmware Ms N1008 Unc Firmware +19
NVD
EPSS 3% CVSS 4.9
MEDIUM This Month

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Assetexplorer +3
NVD
EPSS 1% CVSS 8.1
HIGH This Week

HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Workload Automation
NVD
EPSS 1% CVSS 8.1
HIGH This Week

HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Workload Automation
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nokia CSRF +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nokia CSRF +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Data Catalog
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Data Catalog
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

A vulnerability has been identified in Polarion ALM (All versions < V22R2). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Polarion Alm
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE National Land Numerical Information Data Conversion Tool
NVD
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Zoho Manageengine Applications Manager
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Tririga Application Platform
NVD
EPSS 1% CVSS 6.0
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Remote Jobs View
NVD
EPSS 1% CVSS 8.2
HIGH This Week

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Phabricator Differential
NVD
EPSS 1% CVSS 8.2
HIGH This Week

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Performance Publisher
NVD
Prev Page 4 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1231

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy