CVEs classified under CWE-776, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2019-19144 — CVSS 9.8 (critical): XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate.
CVE-2022-23640 — CVSS 9.8 (critical): Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML…
CVE-2014-2228 — CVSS 9.8 (critical): The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML…
CVE-2021-23926 — CVSS 9.1 (critical): The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input…
CVE-2020-24590 — CVSS 9.1 (critical): The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
CVE-2021-32623 — CVSS 8.1 (high): Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable…
CVE-2026-44020 — CVSS 7.5 (high): Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.13.0…
CVE-2026-45771 — CVSS 7.5 (high): FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software…
CVE-2026-31248 — CVSS 7.5 (high): Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files…
CVE-2026-33036 — CVSS 7.5 (high): fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5…
CVE-2026-29074 — CVSS 7.5 (high): SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before…
CVE-2026-26278 — CVSS 7.5 (high): fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no…
CVE-2025-3225 — CVSS 7.5 (high): An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index…
CVE-2024-28757 — CVSS 7.5 (high): libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via…
CVE-2023-49967 — CVSS 7.5 (high): Typecho v1.2.1 was discovered to be vulnerable to an XML Quadratic Blowup attack via the component /index.php/action/xmlrpc.
CVE-2023-28118 — CVSS 7.5 (high): kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input…
CVE-2022-25857 — CVSS 7.5 (high): The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for…
CVE-2022-33977 — CVSS 7.5 (high): untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive…
CVE-2021-40511 — CVSS 7.5 (high): OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.
CVE-2022-26662 — CVSS 7.5 (high): An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and…
CVE-2021-38490 — CVSS 7.5 (high): Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.
CVE-2020-11462 — CVSS 7.5 (high): An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is…
CVE-2020-3946 — CVSS 7.5 (high): InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to…
CVE-2019-20104 — CVSS 7.5 (high): The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to…
CVE-2015-9541 — CVSS 7.5 (high): Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a…
CVE-2017-18640 — CVSS 7.5 (high): The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-11253 — CVSS 7.5 (high): Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2…
CVE-2019-12401 — CVSS 7.5 (high): Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via…
CVE-2019-15160 — CVSS 7.5 (high): The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource…
CVE-2019-5442 — CVSS 7.5 (high): XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large…
CVE-2019-5427 — CVSS 7.5 (high): c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against…
CVE-2011-3288 — CVSS 7.5 (high): Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a…
CVE-2011-1755 — CVSS 7.5 (high): jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of…
CVE-2009-1955 — CVSS 7.5 (high): The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn…
CVE-2024-28982 — CVSS 7.1 (high): Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL…
CVE-2022-34430 — CVSS 7.1 (high): Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this…
CVE-2026-12993 — CVSS 6.5 (medium): A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable…
CVE-2023-41635 — CVSS 6.5 (medium): A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to…
CVE-2022-44641 — CVSS 6.5 (medium): In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that…
CVE-2022-34467 — CVSS 6.5 (medium): A vulnerability has been identified in Mendix Excel Importer Module (Mendix 8 compatible) (All versions < V9.2.2), Mendix Excel Importer…
CVE-2021-41559 — CVSS 6.5 (medium): Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML…
CVE-2021-20464 — CVSS 6.5 (medium): IBM Cognos Analytics PowerPlay (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7) could be vulnerable to an XML Bomb attack by a malicious…
CVE-2021-3541 — CVSS 6.5 (medium): A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to…
CVE-2020-15303 — CVSS 6.5 (medium): Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564.
CVE-2020-24665 — CVSS 6.5 (medium): The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an…
CVE-2020-2172 — CVSS 6.5 (medium): Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-6856 — CVSS 6.5 (medium): An XML External Entity (XEE) vulnerability exists in the JOC Cockpit component of SOS JobScheduler 1.12 and 1.13.2 allows attackers to read…