CWE-643— XPath Injection
14 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-643page 1 of 1
- CVE-2020-25162HIGHCVSS 7.5EG 7.52022-04-14
A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate pr…
- CVE-2022-43840MEDIUMCVSS 4.3EG 4.32025-04-14
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document.
- CVE-2023-24922MEDIUMCVSS 6.5EG 6.52023-03-14
Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
- CVE-2023-36429MEDIUMCVSS 6.5EG 6.52023-10-10
Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
- CVE-2023-36433MEDIUMCVSS 6.5EG 6.52023-10-10
Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
- CVE-2024-2645MEDIUMCVSS 4.3EG 4.32024-03-19
A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /vpnweb/resetpwd/resetpwd.php. The manipulation of the argument UserId leads to imprope…
- CVE-2024-2648MEDIUMCVSS 4.3EG 4.32024-03-19
A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of the argument username leads to imprope…
- CVE-2024-39565HIGHCVSS 8.8EG 8.82024-07-10
An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target devi…
- CVE-2024-8955HIGHCVSS 7.5EG 6.82025-03-20
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the contents of any file in the system by exploiting the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_G…
- CVE-2025-11844MEDIUMCVSS 5.4EG 5.42025-10-22
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supp…
- CVE-2025-20218MEDIUMCVSS 4.9EG 4.92025-08-14
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to retrieve sensitive information from an affected device. This vulnerability …
- CVE-2026-24343HIGHCVSS 8.8EG 8.82026-02-10
Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0. Users are recommended to upgrade to version 1.8.0, which fixes …
- CVE-2026-40699MEDIUMCVSS 6.5EG 6.52026-05-13
A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Techni…
- CVE-2026-44962CRITICALCVSS 10.0EG 9.92026-05-29
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged use…
Map vulnerabilities like CWE-643 to your infrastructure
EchelonGraph correlates every CVE — across CWE-643 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →