目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-611 XML外部实体引用的不恰当限制(XXE) 类漏洞列表 437

CWE-611 XML外部实体引用的不恰当限制(XXE) 类弱点 437 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-611 指 XML 外部实体注入漏洞,属于处理 XML 文档时的安全缺陷。攻击者通过构造包含恶意外部实体的 XML 数据,诱导系统读取服务器本地文件或发起 SSRF 请求,从而泄露敏感信息或探测内网。开发者应避免使用默认配置解析 XML,禁用外部实体解析功能,并对输入数据进行严格校验与过滤,确保仅处理受信任的实体引用。

MITRE CWE 官方描述
CWE:CWE-611 XML外部实体引用限制不当 英文:该产品处理包含XML实体的XML文档,这些实体的URI可解析到预期控制范围之外的文档,导致该产品将不正确的文档嵌入其输出中。
常见影响 (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
缓解措施 (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE ID标题CVSS风险等级Published
CVE-2026-48981 pam_usb XML解析漏洞可导致XXE网络实体获取 — pam_usb 6.7 Medium2026-06-18
CVE-2026-49875 Apache CXF 输入验证错误漏洞 — Apache CXF--2026-06-12
CVE-2026-40998 VMware Spring Web Services 代码问题漏洞 — Spring Web Services 8.2 High2026-06-11
CVE-2026-40991 VMware Spring REST Docs 代码问题漏洞 — Spring REST Docs 5.9 Medium2026-06-09
CVE-2026-47960 Adobe ColdFusion 代码问题漏洞 — ColdFusion 7.4 High2026-06-09
CVE-2026-8045 Schneider Electric Data Center Expert 代码问题漏洞 — EcoStruxure™ IT Data Center Expert--2026-06-09
CVE-2026-49383 JetBrains IntelliJ IDEA 代码问题漏洞 — IntelliJ IDEA 3.3 Low2026-05-29
CVE-2026-2253 Hitachi Vantara Pentaho Data Integration and Analytics 安全漏洞 — Pentaho Data Integration and Analytics 7.7 High2026-05-27
CVE-2026-3603 IBM Engineering Lifecycle Management 安全漏洞 — Engineering Lifecycle Management 7.1 High2026-05-26
CVE-2026-44618 Apache CXF 安全漏洞 — Apache CXF--2026-05-22
CVE-2026-46722 TYPO3 Extension Faceted Search 代码问题漏洞 — Extension "Faceted Search"--2026-05-19
CVE-2026-44445 ERPNext 代码问题漏洞 — erpnext--2026-05-13
CVE-2026-41895 changedetection.io 代码问题漏洞 — changedetection.io--2026-05-12
CVE-2026-41936 Vvveb 代码问题漏洞 — Vvveb 8.1 High2026-05-06
CVE-2026-40682 Apache OpenNLP 代码问题漏洞 — Apache OpenNLP 9.8 -2026-05-04
CVE-2026-6501 ILM Informatique jOpenDocument 代码问题漏洞 — jOpenDocument 7.5 -2026-05-04
CVE-2025-14543 RTI Connext Professional 代码问题漏洞 — Connext Professional 5.3 -2026-04-30
CVE-2024-13971 Lobster_pro 代码问题漏洞 — Lobster_pro 6.5 -2026-04-30
CVE-2024-39847 4D Server 代码问题漏洞 — 4D Server 9.1 -2026-04-30
CVE-2026-6807 GRASSMARLIN 代码问题漏洞 — GRASSMARLIN 5.5 Medium2026-04-28
CVE-2026-41066 lxml 代码问题漏洞 — lxml 7.5 High2026-04-24
CVE-2026-40882 OpenRemote 代码问题漏洞 — openremote 7.6 High2026-04-22
CVE-2024-8010 WSO2 API Manager 安全漏洞 — WSO2 API Manager 3.5 Low2026-04-16
CVE-2024-2374 WSO2 Identity Server和WSO2 API Manager Developer Portal 安全漏洞 — WSO2 API Manager 7.5 High2026-04-16
CVE-2026-33737 Chamilo LMS 代码问题漏洞 — chamilo-lms 5.3 Medium2026-04-10
CVE-2026-4374 RTI Connext Professional 安全漏洞 — Connext Professional 9.8AICriticalAI2026-04-01
CVE-2026-34401 XmlNotepad 代码问题漏洞 — XmlNotepad 6.5 Medium2026-03-31
CVE-2026-4980 Inkscape 代码问题漏洞 — Inkscape 6.3 Medium2026-03-27
CVE-2026-33913 OpenEMR 代码问题漏洞 — openemr 7.7 High2026-03-25
CVE-2026-28809 esaml 安全漏洞 — esaml 9.1 -2026-03-23

CWE-611(XML外部实体引用的不恰当限制(XXE)) 是常见的弱点类别,本平台收录该类弱点关联的 437 条 CVE 漏洞。