Skip to main content

XML External Entity Injection

web HIGH

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions.

How It Works

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions. When an application accepts XML input, an attacker can inject a malicious DOCTYPE declaration containing external entity references. These entities instruct the parser to fetch content from arbitrary locations—either local files on the server or remote URLs.

The attack begins with crafting XML that defines an external entity, such as <!ENTITY xxe SYSTEM "file:///etc/passwd">, then references it within the document body using &xxe;. When the parser processes this XML, it automatically resolves the entity, reading the specified file and incorporating its contents into the parsed output. Attackers can retrieve this data directly if it's reflected in responses, or use out-of-band techniques when the application doesn't display parsed content.

Beyond basic file retrieval, XXE enables Server-Side Request Forgery by using HTTP/HTTPS URLs in entity declarations, allowing attackers to probe internal networks. Parameter entities create "blind XXE" scenarios where data is exfiltrated through DNS queries or HTTP requests to attacker-controlled servers. The attack surface extends beyond obvious XML endpoints—SVG images, Microsoft Office documents (DOCX/XLSX), and SOAP services all contain XML that parsers process, often without developer awareness.

Impact

  • Arbitrary file disclosure: Read sensitive files like /etc/passwd, application configuration files, source code, or SSH keys
  • Server-Side Request Forgery: Scan internal networks, access cloud metadata services (AWS EC2 metadata), or interact with internal APIs
  • Denial of Service: Exponential entity expansion attacks (Billion Laughs) consume memory and CPU, crashing applications
  • Remote code execution: In specific configurations with expect:// protocol handlers or through PHP's phar:// wrapper exploitation
  • Authentication bypass: Extract credential files or session tokens from filesystem

Real-World Examples

The Facebook career site XXE vulnerability (2014) allowed attackers to read arbitrary files from internal servers by uploading malicious DOCX resumes. The XML contained within the Office document format was parsed without entity restrictions, exposing internal file contents.

Google's XML parsing infrastructure suffered from XXE in several products including Google Toolbar and Google Mini search appliance, where attackers could retrieve configuration files and access internal network resources through crafted XML requests.

Cisco's Security Manager (CVE-2018-15379) contained an XXE vulnerability in its SOAP interface that permitted unauthenticated attackers to read arbitrary files with root privileges. Attackers exploited this by sending specially crafted SOAP messages containing external entity declarations to the management interface.

Mitigation

  • Disable external entity processing entirely in XML parser configuration (setFeature("http://apache.org/xml/features/disallow-doctype-decl", true))
  • Disable DTD processing if external entities can't be disabled (setFeature("http://xml.org/sax/features/external-general-entities", false))
  • Use JSON instead of XML for APIs and data interchange when possible
  • Implement allowlisting for XML schemas and reject documents with DOCTYPE declarations
  • Apply strict input validation on content-type headers to prevent forced XML parsing
  • Use less complex XML parsers or dedicated security-focused parsing libraries
  • Run XML processing in sandboxed environments with restricted filesystem and network access

Recent CVEs (1232)

EPSS 1% CVSS 8.2
HIGH This Week

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Performance Publisher
NVD
EPSS 1% CVSS 8.2
HIGH This Week

Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Visual Studio Code Metrics
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Crap4J
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Independentsoft JODF before 1.1.110. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jodf
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jspreadsheet
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Independentsoft JWord before 1.1.110. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jword
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Absint A3
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Aspera Faspex
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows an attacker to read local files on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Enovia Live Collaboration
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Python XXE Owslib
NVD GitHub
EPSS 1% CVSS 7.7
HIGH POC PATCH This Week

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Xwiki
NVD GitHub
EPSS 7% CVSS 5.3
MEDIUM This Month

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Secure Endpoint Secure Endpoint Private Cloud +2
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Geonode
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to /urule/common/saveFile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE Urule
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

XXE VMware Vrealize Automation +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Php Saml Sp
NVD
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Awesome Procedures On Cyper
NVD GitHub
EPSS 1% CVSS 7.4
HIGH This Week

Improper restriction of XML external entity reference (XXE) vulnerability exists in tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0) and tsClinical Metadata Desktop Tools Version 1.0.3. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Tsclinical Define Xml Generator Tsclinical Metadata Desktop Tools
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC This Week

An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE Ureport
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Mojoportal
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

XXE Remote Engine Gen 2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Cx Motion Pro
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Testcomplete Support
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Mstest
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Semantic Versioning
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE SSRF +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware (component: XML Security component). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Oracle XXE Authentication Bypass +1
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Zoho Microsoft +1
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Device Registration Portal
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A vulnerability was found in Talend Open Studio for MDM. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Open Studio For Mdm
NVD VulDB GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Dragonfly is a Java runtime dependency management library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Dragonfly
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Ogc Web Feature Service
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Xml Rpc Net
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Symantec Identity Governance And Administration
NVD
EPSS 1% CVSS 5.5
MEDIUM This Month

Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Sd Wan +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Plot
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

SSRF XXE Intellij Idea
NVD
EPSS 1% CVSS 4.9
MEDIUM POC This Month

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Information Server
NVD
EPSS 3% CVSS 4.9
MEDIUM PATCH This Month

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Information Disclosure Zoho XXE +4
NVD
EPSS 8% CVSS 9.8
CRITICAL POC PATCH Act Now

An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Sophos RCE SSRF +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Cisco XXE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Japex
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Osf Builder Suite
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Sourcemonitor
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Cccc
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Violations
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Concrete Cms
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM This Month

CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Cbrn Analysis
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Splunk Splunk Cloud Platform
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

XML External Entity (XXE) vulnerability in Trellix IPS Manager prior to 10.1 M8 allows a remote authenticated administrator to perform XXE attack in the administrator interface part of the interface,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

XXE Intrusion Prevention System Manager
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Candidats
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Infosphere Information Server
NVD
EPSS 8% CVSS 9.1
CRITICAL POC Act Now

VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE VMware +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Compuware Topaz For Total Test
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Repo
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SSRF XXE Epolicy Orchestrator
NVD
EPSS 36% CVSS 7.5
HIGH This Week

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Adobe Coldfusion
NVD
EPSS 53% CVSS 7.5
HIGH PATCH This Week

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Adobe Coldfusion
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Netbackup
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Netbackup
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Sterling Partner Engagement Manager
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP.2 and later versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Soap
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Rqm
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Compuware Common Configuration
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF XXE Fme Server
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E),. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Cloud Security Gateway Data Loss Prevention +3
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Oracle +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Denial Of Service Mei2Volpiano
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Cognos Analytics +1
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Delta Robot Automation Studio
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft XXE Data Loss Prevention Endpoint
NVD
EPSS 5% CVSS 7.5
HIGH POC PATCH This Week

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Prosody
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Mq
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Sphinx
NVD
EPSS 1% CVSS 8.2
HIGH This Week

XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Process Automation Manager
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ignition
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Datapower Gateway
NVD
EPSS 85% CVSS 7.5
HIGH POC PATCH THREAT This Week

Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Dogtagpki
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Fusion 360
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

untangle is a python library to convert XML data to python objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Python Untangle
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Openkm
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Business Process Management
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service SSRF Apache +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE Business One
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XSS CSRF +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Recipe
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Okta Sso
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ags Zena
NVD VulDB
Prev Page 5 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1232

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy