目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-611 XML外部实体引用的不恰当限制(XXE) 类漏洞列表 424

CWE-611 XML外部实体引用的不恰当限制(XXE) 类弱点 424 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-611 指 XML 外部实体注入漏洞,属于处理 XML 文档时的安全缺陷。攻击者通过构造包含恶意外部实体的 XML 数据,诱导系统读取服务器本地文件或发起 SSRF 请求,从而泄露敏感信息或探测内网。开发者应避免使用默认配置解析 XML,禁用外部实体解析功能,并对输入数据进行严格校验与过滤,确保仅处理受信任的实体引用。

MITRE CWE 官方描述
CWE:CWE-611 XML外部实体引用限制不当 英文:该产品处理包含XML实体的XML文档,这些实体的URI可解析到预期控制范围之外的文档,导致该产品将不正确的文档嵌入其输出中。
常见影响 (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
缓解措施 (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE ID标题CVSS风险等级Published
CVE-2026-41936 Vvveb <1.0.8.2 XML外部实体注入漏洞 — Vvveb 8.1 High2026-05-06
CVE-2026-40682 Apache OpenNLP 字典解析 XXE 漏洞 — Apache OpenNLP 9.8AICriticalAI2026-05-04
CVE-2026-6501 jOpenDocument 1.5 XML外部实体引用限制不当漏洞 — jOpenDocument 7.5AIHighAI2026-05-04
CVE-2025-14543 Connext Professional Core Libraries XML外部实体引用漏洞 — Connext Professional 5.3AIMediumAI2026-04-30
CVE-2024-13971 Lobster_pro XML外部实体导致任意文件读取及SSRF漏洞 — Lobster_pro 6.5AIMediumAI2026-04-30
CVE-2024-39847 4D Server SOAP XML外部实体任意文件读取漏洞 — 4D Server 9.1AICriticalAI2026-04-30
CVE-2026-6807 GRASSMARLIN 代码问题漏洞 — GRASSMARLIN 5.5 Medium2026-04-28
CVE-2026-41066 lxml 代码问题漏洞 — lxml 7.5 High2026-04-24
CVE-2026-40882 OpenRemote 代码问题漏洞 — openremote 7.6 High2026-04-22
CVE-2024-8010 WSO2 API Manager 安全漏洞 — WSO2 API Manager 3.5 Low2026-04-16
CVE-2024-2374 WSO2 Identity Server和WSO2 API Manager Developer Portal 安全漏洞 — WSO2 API Manager 7.5 High2026-04-16
CVE-2026-33737 Chamilo LMS 代码问题漏洞 — chamilo-lms 5.3 Medium2026-04-10
CVE-2026-4374 RTI Connext Professional 安全漏洞 — Connext Professional 9.8AICriticalAI2026-04-01
CVE-2026-34401 XmlNotepad 代码问题漏洞 — XmlNotepad 6.5 Medium2026-03-31
CVE-2026-4980 Inkscape 代码问题漏洞 — Inkscape 6.3 Medium2026-03-27
CVE-2026-33913 OpenEMR 代码问题漏洞 — openemr 7.7 High2026-03-25
CVE-2026-28809 esaml 安全漏洞 — esaml 9.1 -2026-03-23
CVE-2026-3511 Autogram 安全漏洞 — Autogram 8.6 High2026-03-19
CVE-2026-32251 Tolgee 代码问题漏洞 — tolgee-platform 6.5AIMediumAI2026-03-12
CVE-2026-1567 IBM InfoSphere Information Server 代码问题漏洞 — InfoSphere Information Server 7.1 High2026-03-03
CVE-2026-3404 JeeSite 代码问题漏洞 — JeeSite 5.0 Medium2026-03-02
CVE-2026-2252 Xerox FreeFlow Core 安全漏洞 — FreeFlow Core 7.5 High2026-02-27
CVE-2025-36247 IBM Db2 代码问题漏洞 — Db2 for Linux, UNIX and Windows 7.1 High2026-02-17
CVE-2026-2536 JFlow 代码问题漏洞 — JFlow 6.3 Medium2026-02-16
CVE-2020-37192 Top Password MSN Password Recovery 代码问题漏洞 — MSN Password Recovery 6.2 Medium2026-02-11
CVE-2026-1227 Schneider Electric EcoStruxure Building Operation Workstation 代码问题漏洞 — EcoStruxure Building Operation Workstation 7.8AIHighAI2026-02-11
CVE-2026-2074 O2OA 代码问题漏洞 — O2OA 6.3 Medium2026-02-07
CVE-2026-23739 Asterisk 代码问题漏洞 — asterisk 2.0 Low2026-02-06
CVE-2026-23795 Apache Syncope 代码问题漏洞 — Apache Syncope 4.9AIMediumAI2026-02-03
CVE-2026-24400 AssertJ 代码问题漏洞 — assertj 9.8AICriticalAI2026-01-26

CWE-611(XML外部实体引用的不恰当限制(XXE)) 是常见的弱点类别,本平台收录该类弱点关联的 424 条 CVE 漏洞。