Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2026-41936 Vvveb < 1.0.8.2 XML External Entity Injection via Import — Vvveb 8.1 High2026-05-06
CVE-2026-40682 Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor — Apache OpenNLP 9.8 -2026-05-04
CVE-2026-6501 ILM Informatique jOpenDocument 代码问题漏洞 — jOpenDocument 7.5 -2026-05-04
CVE-2025-14543 Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking. — Connext Professional 5.3 -2026-04-30
CVE-2024-13971 Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro — Lobster_pro 6.5 -2026-04-30
CVE-2024-39847 Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP — 4D Server 9.1 -2026-04-30
CVE-2026-6807 NSA GRASSMARLIN Improper Restriction of XML External Entity Reference — GRASSMARLIN 5.5 Medium2026-04-28
CVE-2026-41066 lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files — lxml 7.5 High2026-04-24
CVE-2026-40882 OpenRemote has XXE in Velbus Asset Import — openremote 7.6 High2026-04-22
CVE-2024-8010 XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files — WSO2 API Manager 3.5 Low2026-04-16
CVE-2024-2374 XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service — WSO2 API Manager 7.5 High2026-04-16
CVE-2026-33737 Chamilo LMS has an XML External Entity (XXE) Injection — chamilo-lms 5.3 Medium2026-04-10
CVE-2026-4374 Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat... — Connext Professional 9.8AICriticalAI2026-04-01
CVE-2026-34401 XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading — XmlNotepad 6.5 Medium2026-03-31
CVE-2026-4980 Improper Restriction of XML External Entity Reference in Inkscape — Inkscape 6.3 Medium2026-03-27
CVE-2026-33913 OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files — openemr 7.7 High2026-03-25
CVE-2026-28809 XXE in esaml SAML library allows local file read and potential SSRF — esaml 9.1 -2026-03-23
CVE-2026-3511 Autogram 安全漏洞 — Autogram 8.6 High2026-03-19
CVE-2026-32251 Tolgee has an XXE Injection in Translation Import — tolgee-platform 6.5AIMediumAI2026-03-12
CVE-2026-1567 IBM InfoSphere Information Server is affected by an XML external entity injection (XXE) vulnerability — InfoSphere Information Server 7.1 High2026-03-03
CVE-2026-3404 thinkgem JeeSite Endpoint CasOutHandler.java xml external entity reference — JeeSite 5.0 Medium2026-03-02
CVE-2026-2252 XML External Entity (XXE) vulnerability resulting in Server-Side Request Forgery (SSRF) — FreeFlow Core 7.5 High2026-02-27
CVE-2025-36247 IBM Db2 XML External Entity Reference — Db2 for Linux, UNIX and Windows 7.1 High2026-02-17
CVE-2026-2536 opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference — JFlow 6.3 Medium2026-02-16
CVE-2020-37192 MSN Password Recovery 1.30 - XML External Entity Injection — MSN Password Recovery 6.2 Medium2026-02-11
CVE-2026-1227 Schneider Electric EcoStruxure Building Operation Workstation 代码问题漏洞 — EcoStruxure Building Operation Workstation 7.8AIHighAI2026-02-11
CVE-2026-2074 O2OA HTTP POST Request check xml external entity reference — O2OA 6.3 Medium2026-02-07
CVE-2026-23739 Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection — asterisk 2.0 Low2026-02-06
CVE-2026-23795 Apache Syncope: Console XXE on Keymaster parameters — Apache Syncope 4.9AIMediumAI2026-02-03
CVE-2026-24400 AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion — assertj 9.8AICriticalAI2026-01-26

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.