CWE-611: Improper Restriction of XML External Entity Reference (XXE) — known CVE vulnerabilities
CVEs classified under CWE-611 (Improper Restriction of XML External Entity Reference (XXE)), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2022-22486 — CVSS 10.0 (critical): IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A…
CVE-2019-14678 — CVSS 10.0 (critical): SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples…
CVE-2018-1000838 — CVSS 10.0 (critical): autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of…
CVE-2018-1000837 — CVSS 10.0 (critical): UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of…
CVE-2018-1000835 — CVSS 10.0 (critical): KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of…
CVE-2018-1000831 — CVSS 10.0 (critical): K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of…
CVE-2018-1000830 — CVSS 10.0 (critical): XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of…
CVE-2018-1000825 — CVSS 10.0 (critical): FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in…
CVE-2018-1000823 — CVSS 10.0 (critical): exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure…
CVE-2018-1000822 — CVSS 10.0 (critical): codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in…
CVE-2018-1000821 — CVSS 10.0 (critical): MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in…
CVE-2018-1000820 — CVSS 10.0 (critical): neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can…
CVE-2018-1000652 — CVSS 10.0 (critical): JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of…
CVE-2018-1000651 — CVSS 10.0 (critical): Stroom version <5.4.5 contains a XML External Entity (XXE) vulnerability in XML Parser that can result in disclosure of confidential data…
CVE-2018-1000644 — CVSS 10.0 (critical): Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can…
CVE-2018-1000124 — CVSS 10.0 (critical): I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplex…
CVE-2017-8110 — CVSS 10.0 (critical): www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php.
CVE-2025-30220 — CVSS 9.9 (critical): GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to…
CVE-2023-27874 — CVSS 9.9 (critical): IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated…
CVE-2022-20780 — CVSS 9.9 (critical): Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual…
CVE-2018-18406 — CVSS 9.9 (critical): An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 build 1179(Final). The Audit Report module is affected by a blind XXE…
CVE-2017-13706 — CVSS 9.9 (critical): XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows…
CVE-2026-49875 — CVSS 9.8 (critical): Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening…
CVE-2026-38429 — CVSS 9.8 (critical): OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user…
CVE-2025-65482 — CVSS 9.8 (critical): An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via…
CVE-2018-25142 — CVSS 9.8 (critical): NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML…
CVE-2023-38693 — CVSS 9.8 (critical): Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee…
CVE-2024-55081 — CVSS 9.8 (critical): An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute…
CVE-2021-3902 — CVSS 9.8 (critical): An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery…
CVE-2024-51132 — CVSS 9.8 (critical): An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary…
CVE-2024-51136 — CVSS 9.8 (critical): An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute…
CVE-2024-7098 — CVSS 9.8 (critical): Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection. This issue affects…
CVE-2024-21082 — CVSS 9.8 (critical): Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are…
CVE-2023-26999 — CVSS 9.8 (critical): An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a…
CVE-2023-52252 — CVSS 9.8 (critical): Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the…
CVE-2023-46265 — CVSS 9.8 (critical): An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
CVE-2023-49733 — CVSS 9.8 (critical): Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before…
CVE-2023-49656 — CVSS 9.8 (critical): Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-46502 — CVSS 9.8 (critical): An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure…
CVE-2022-48565 — CVSS 9.8 (critical): An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML…
CVE-2023-20918 — CVSS 9.8 (critical): In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no…
CVE-2023-24189 — CVSS 9.8 (critical): An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to…
CVE-2023-24443 — CVSS 9.8 (critical): Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-24441 — CVSS 9.8 (critical): Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.