Skip to main content

XML External Entity Injection

web HIGH

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions.

How It Works

XML External Entity (XXE) attacks exploit XML parsers that process Document Type Definitions (DTDs) without proper restrictions. When an application accepts XML input, an attacker can inject a malicious DOCTYPE declaration containing external entity references. These entities instruct the parser to fetch content from arbitrary locations—either local files on the server or remote URLs.

The attack begins with crafting XML that defines an external entity, such as <!ENTITY xxe SYSTEM "file:///etc/passwd">, then references it within the document body using &xxe;. When the parser processes this XML, it automatically resolves the entity, reading the specified file and incorporating its contents into the parsed output. Attackers can retrieve this data directly if it's reflected in responses, or use out-of-band techniques when the application doesn't display parsed content.

Beyond basic file retrieval, XXE enables Server-Side Request Forgery by using HTTP/HTTPS URLs in entity declarations, allowing attackers to probe internal networks. Parameter entities create "blind XXE" scenarios where data is exfiltrated through DNS queries or HTTP requests to attacker-controlled servers. The attack surface extends beyond obvious XML endpoints—SVG images, Microsoft Office documents (DOCX/XLSX), and SOAP services all contain XML that parsers process, often without developer awareness.

Impact

  • Arbitrary file disclosure: Read sensitive files like /etc/passwd, application configuration files, source code, or SSH keys
  • Server-Side Request Forgery: Scan internal networks, access cloud metadata services (AWS EC2 metadata), or interact with internal APIs
  • Denial of Service: Exponential entity expansion attacks (Billion Laughs) consume memory and CPU, crashing applications
  • Remote code execution: In specific configurations with expect:// protocol handlers or through PHP's phar:// wrapper exploitation
  • Authentication bypass: Extract credential files or session tokens from filesystem

Real-World Examples

The Facebook career site XXE vulnerability (2014) allowed attackers to read arbitrary files from internal servers by uploading malicious DOCX resumes. The XML contained within the Office document format was parsed without entity restrictions, exposing internal file contents.

Google's XML parsing infrastructure suffered from XXE in several products including Google Toolbar and Google Mini search appliance, where attackers could retrieve configuration files and access internal network resources through crafted XML requests.

Cisco's Security Manager (CVE-2018-15379) contained an XXE vulnerability in its SOAP interface that permitted unauthenticated attackers to read arbitrary files with root privileges. Attackers exploited this by sending specially crafted SOAP messages containing external entity declarations to the management interface.

Mitigation

  • Disable external entity processing entirely in XML parser configuration (setFeature("http://apache.org/xml/features/disallow-doctype-decl", true))
  • Disable DTD processing if external entities can't be disabled (setFeature("http://xml.org/sax/features/external-general-entities", false))
  • Use JSON instead of XML for APIs and data interchange when possible
  • Implement allowlisting for XML schemas and reject documents with DOCTYPE declarations
  • Apply strict input validation on content-type headers to prevent forced XML parsing
  • Use less complex XML parsers or dedicated security-focused parsing libraries
  • Run XML processing in sandboxed environments with restricted filesystem and network access

Recent CVEs (1233)

EPSS 1% CVSS 9.8
CRITICAL Act Now

ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ags Zena
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Saml
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Magicpin
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

VMware Information Disclosure Microsoft +2
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Morpheus
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Teamcenter
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Storable Configs
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

The DOM XML parser and SAX XML parser components of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Managed File Transfer Command Center Managed File Transfer Internet Server
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved.4.0 and prior versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Jena
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Administration Center
NVD
EPSS 1% CVSS 5.5
MEDIUM This Month

In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Dmars
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Open Build Service
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Solar Appscreener
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC PATCH This Month

org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Commons
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Detekt
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Scadapack Workbench
NVD
EPSS 97% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho RCE XXE +1
NVD
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Connected Components Workbench Isagraf +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Pipeline
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Coverage Complexity Scatter Plot
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Flaky Test Handler
NVD
EPSS 0% CVSS 3.8
LOW Monitor

A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Epolicy Orchestrator
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Cvrf Csaf Converter
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Proteus Trytond +1
NVD
EPSS 14% CVSS 6.5
MEDIUM POC THREAT This Month

An issue was discovered in OverIT Geocall before version 8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Geocall
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft XXE Manager Agents
NVD
EPSS 3% CVSS 9.1
CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XXE Any23
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Liquibase Sqlcl
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Hazelcast
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Excel Streaming Reader
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Oracle Java +19
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
EPSS 3% CVSS 5.5
MEDIUM This Month

XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Kace Desktop Authority
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Knime Analytics Platform
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

dbeaver is vulnerable to Improper Restriction of XML External Entity Reference. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

XXE Dbeaver
NVD GitHub
EPSS 3% CVSS 9.1
CRITICAL POC PATCH Act Now

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE H2
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Multiner
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Digger
NVD GitHub
EPSS 1% CVSS 7.7
HIGH This Week

CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cloverdx
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Filemaker Pro +1
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Owasp Dependency Check
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Jenkins XXE +1
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Performance
NVD
EPSS 1% CVSS 8.1
HIGH This Week

An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Fortiportal
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XXE Infosphere Information Server
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Denial Of Service XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Denial Of Service XXE +1
NVD
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure XXE Denial Of Service +2
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

corenlp is vulnerable to Improper Restriction of XML External Entity Reference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Corenlp
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mozilla XXE Remote Service Manager
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server -. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft XXE Jasperreports Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE SAP +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Opencms
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XXE Manageengine Admanager Plus
NVD
EPSS 3% CVSS 6.5
MEDIUM This Month

Apache OpenOffice has a dependency on expat software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Pingfederate
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco SSRF XXE +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ngeniusone
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Nokogiri
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Jazz For Service Management +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Jena
NVD
EPSS 1% CVSS 8.2
HIGH POC This Week

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Assyst
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Teamcenter Visualization
NVD
EPSS 3% CVSS 9.1
CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Any23
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Paloalto +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal XXE +1
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Nested View
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Owslib Pywps +1
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL Act Now

The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XXE Screenshare
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection". Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Hcl Commerce
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cpanel
NVD
EPSS 66% CVSS 9.1
CRITICAL POC THREAT Act Now

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Mobiletogether Server
NVD Exploit-DB
EPSS 1% CVSS 5.5
MEDIUM This Month

A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Solid Edge Se2021 Firmware
NVD
EPSS 1% CVSS 7.5
HIGH This Week

XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mule
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Glances
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Qradar Security Information And Event Manager
NVD
EPSS 1% CVSS 7.6
HIGH This Week

XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Verastream Host Integrator
NVD
EPSS 85% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Oracle XXE Bi Publisher
NVD
EPSS 2% CVSS 8.2
HIGH This Week

Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE G 50A Firmware Gb 50A Firmware +17
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

FlowDroid is a data flow analysis tool. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

XXE Flowdroid
NVD GitHub
EPSS 25% CVSS 7.5
HIGH POC PATCH THREAT This Week

The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Vsa
NVD
EPSS 1% CVSS 5.5
MEDIUM This Month

Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Fpwin Pro
NVD
EPSS 43% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Selenium Html Report
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Xml2Dict
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

There is an XXE injection vulnerability in eCNS280 V100R005C00 and V100R005C10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Ecns280 Firmware
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Report portal is an open source reporting and analysis framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Service Api
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Automate
NVD
Prev Page 6 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1233

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy