Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-112 (XML验证缺失) — Vulnerability Class 7

7 vulnerabilities classified as CWE-112 (XML验证缺失). AI Chinese analysis included.

CWE-112 represents a critical input validation weakness where applications accept XML data from untrusted sources without verifying it against a defined Document Type Definition (DTD) or XML Schema. This oversight allows attackers to inject malformed, unexpected, or malicious structures that violate the programmer’s assumptions about expected data formats. Exploitation typically involves crafting specially designed XML payloads that trigger parsing errors, cause denial-of-service conditions through billion laughs attacks, or facilitate XML External Entity (XXE) injections to access sensitive files. To mitigate this risk, developers must rigorously validate all incoming XML documents against strict schemas before processing. Additionally, implementing secure XML parsers that disable external entity resolution and limiting the complexity of parsed structures are essential defensive measures. By enforcing strict validation rules, organizations can prevent attackers from exploiting structural ambiguities and ensure that only well-formed, expected data enters the system.

MITRE CWE Description
The product accepts XML from an untrusted source but does not validate the XML against the proper schema. Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.
Common Consequences (1)
IntegrityUnexpected State
Mitigations (1)
Architecture and DesignAlways validate XML input against a known XML Schema or DTD. It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-form…
Examples (2)
The following code loads and parses an XML file.
// Read DOM try { ... DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setValidating( false ); .... c_dom = factory.newDocumentBuilder().parse( xmlFile ); } catch(Exception ex) { ... }
Bad · Java
The following code creates a DocumentBuilder object to be used in building an XML document.
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); builderFactory.setNamespaceAware(true); DocumentBuilder builder = builderFactory.newDocumentBuilder();
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-1190 Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata — Red Hat build of Keycloak 26.4 3.1 Low2026-01-26
CVE-2023-40310 Missing XML Validation vulnerability in SAP PowerDesigner Client BPMN2 import — SAP PowerDesigner Client 6.5 Medium2023-10-10
CVE-2021-27780 HCL BigFix Mobile / Modern Client Management is vulnerable to unauthenticated XML interaction — HCL BigFix Mobile / Modern Client Management 5.3 Medium2022-05-27
CVE-2022-28213 SAP BusinessObjects Business Intelligence Platform 安全漏洞 — SAP BusinessObjects Business Intelligence Platform 8.1 -2022-04-12
CVE-2021-1359 Cisco Web Security Appliance Privilege Escalation Vulnerability — Cisco Web Security Appliance (WSA) 6.3 Medium2021-07-08
CVE-2020-27282 Hamilton-medical Hamilton-T1 安全漏洞 — Hamilton Medical AG, T1-Ventillator 4.6 -2021-03-15
CVE-2020-1975 Missing XML Validation in PAN-OS Web Interface — PAN-OS 6.8 Medium2020-02-12

Vulnerabilities classified as CWE-112 (XML验证缺失) represent 7 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.