CWE-611— Improper Restriction of XML External Entity Reference (XXE)
1,115 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 21 of 23
- CVE-2025-23195HIGHCVSS 7.5EG 7.52025-01-21
An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` clas…
- CVE-2025-2365MEDIUMCVSS 6.3EG 6.32025-03-17
A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity referenc…
- CVE-2025-24521MEDIUMCVSS 4.9EG 4.92025-03-05
External XML entity injection allows arbitrary download of files. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remedia…
- CVE-2025-24910MEDIUMCVSS 4.9EG 4.92025-04-16
Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of…
- CVE-2025-24911MEDIUMCVSS 4.9EG 4.92025-04-16
Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of…
- CVE-2025-25036MEDIUMCVSS 6.8EG 6.82025-03-21
Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).
- CVE-2025-26400MEDIUMCVSS 5.3EG 5.32025-07-29
SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local s…
- CVE-2025-26484MEDIUMCVSS 5.5EG 5.52025-08-14
Dell CloudLink, versions 8.0 through 8.1.1, contains an Improper Restriction of XML External Entity Reference vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of s…
- CVE-2025-27136MEDIUMCVSS 5.5EG 0.02025-03-10
LocalS3 is an Amazon S3 mock service for testing and local development. Prior to version 1.21, the LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfigurati…
- CVE-2025-27523HIGHCVSS 8.7EG 8.72025-05-15
XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 1…
- CVE-2025-2775CRITICALCVSS 9.3EG 9.3⚠ KEV2025-05-07
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
- CVE-2025-2776CRITICALCVSS 9.3EG 9.3⚠ KEV2025-05-07
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
- CVE-2025-2777CRITICALCVSS 9.3EG 9.32025-05-07
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
- CVE-2025-2905CRITICALCVSS 9.1EG 9.12025-05-05
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, …
- CVE-2025-29932MEDIUMCVSS 4.1EG 4.12025-03-25
In JetBrains GoLand before 2025.1 an XXE during debugging was possible
- CVE-2025-30018HIGHCVSS 8.6EG 8.62025-05-13
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files an…
- CVE-2025-30220CRITICALCVSS 9.9EG 9.92025-06-10
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts wh…
- CVE-2025-31039CRITICALCVSS 9.1EG 9.12025-06-09
Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon category-icon allows XML Entity Linking.This issue affects Category Icon: from n/a through <= 1.0.3.
- CVE-2025-31487HIGHCVSS 7.7EG 7.72025-04-03
The XWiki JIRA extension provides various integration points between XWiki and JIRA (macros, UI, CKEditor plugin). If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, …
- CVE-2025-31497HIGHCVSS 7.5EG 7.52025-04-15
TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity (XXE) Injection vulnerability in its doc…
- CVE-2025-32138MEDIUMCVSS 6.6EG 6.62025-04-04
Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through <= 1.11.18.
- CVE-2025-32406HIGHCVSS 8.6EG 5.82025-04-08
An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 before 11.0.2 allows remote attackers fetch and parse the XML response.
- CVE-2025-3241MEDIUMCVSS 6.3EG 6.32025-04-04
A vulnerability, which was classified as problematic, was found in zhangyanbo2007 youkefu up to 4.2.0. This affects an unknown part of the file src/main/java/com/ukefu/webim/web/handler/admin/callcenter/CallCenterRouterController.java of t…
- CVE-2025-33121HIGHCVSS 7.1EG 7.12025-06-19
IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume mem…
- CVE-2025-34142MEDIUMCVSS 6.9EG 0.02025-07-22
An XML External Entity (XXE) injection vulnerability exists in ETQ Reliance on the CG (legacy) platform within the `/resources/sessions/sso` endpoint. The SAML authentication handler processes XML input without disabling external entity re…
- CVE-2025-34490MEDIUMCVSS 6.5EG 6.52025-04-28
GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.
- CVE-2025-35112MEDIUMCVSS 4.1EG 4.12025-08-26
Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should …
- CVE-2025-36049HIGHCVSS 8.8EG 8.82025-06-18
IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary…
- CVE-2025-36247HIGHCVSS 7.1EG 7.12026-02-17
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this…
- CVE-2025-36589HIGHCVSS 7.6EG 7.62026-01-06
Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unaut…
- CVE-2025-36603MEDIUMCVSS 4.2EG 4.22025-07-21
Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure …
- CVE-2025-36608MEDIUMCVSS 6.5EG 6.52025-07-30
Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading…
- CVE-2025-4044HIGHCVSS 8.2EG 8.22025-08-19
Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL.
- CVE-2025-40584MEDIUMCVSS 5.5EG 5.52025-08-12
A vulnerability has been identified in SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7 (All versions < V5.7 SP1 HF1), SIMOTION S…
- CVE-2025-4338MEDIUMCVSS 6.8EG 6.82025-05-22
Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An atta…
- CVE-2025-44044HIGHCVSS 7.5EG 7.52025-06-10
Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operat…
- CVE-2025-4639HIGHCVSS 8.8EG 0.02025-05-14
CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos. This issue affects Peergos through version 1.1.0.
- CVE-2025-4641CRITICALCVSS 9.3EG 0.02025-05-14
Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerab…
- CVE-2025-46425MEDIUMCVSS 6.5EG 6.52025-10-24
Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, l…
- CVE-2025-46726CRITICALCVSS 9.1EG 9.12025-05-05
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing loc…
- CVE-2025-47293LOWCVSS 2.7EG 0.02025-06-19
PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request for…
- CVE-2025-47778MEDIUMCVSS 6.1EG 0.02025-05-14
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for …
- CVE-2025-48006CRITICALCVSS 9.1EG 8.22025-09-29
Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. If a specially crafted request is processed, arbitrary files on the file system where the server application for the product is inst…
- CVE-2025-48882HIGHCVSS 8.7EG 0.02025-05-30
PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtra…
- CVE-2025-4949MEDIUMCVSS 5.3EG 5.32025-05-21
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Ama…
- CVE-2025-49493MEDIUMCVSS 5.8EG 5.82025-06-30
Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.
- CVE-2025-49535CRITICALCVSS 9.3EG 9.32025-07-08
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerab…
- CVE-2025-49539MEDIUMCVSS 4.5EG 4.52025-07-08
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could levera…
- CVE-2025-49544MEDIUMCVSS 6.8EG 6.82025-07-08
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could levera…
- CVE-2025-52162MEDIUMCVSS 6.5EG 6.52025-07-18
agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain an XML External Entity (XXE) via the RSSReader endpoint. This vulnerability allows attackers to access sensitive data via providing a crafted XML input.
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →