Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2026-1218 Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference — Zhiyou ERP 6.3 Medium2026-01-20
CVE-2025-14478 Demo Importer Plus <= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload — Demo Importer Plus 7.5 High2026-01-17
CVE-2022-50899 Geonetwork 4.2.0 - XML External Entity (XXE) — GeoNetwork 6.5 Medium2026-01-13
CVE-2025-68493 Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component — Apache Struts 7.5 -2026-01-11
CVE-2026-22186 Bio-Formats <= 8.3.0 XXE in Leica XLEF Metadata Parser — Bio-Formats 8.4 -2026-01-07
CVE-2026-20029 Cisco Identity Services Engine XML External Entity Processing Information Disclosure Vulnerability — Cisco Identity Services Engine Software 4.9 Medium2026-01-07
CVE-2025-36589 Dell Unisphere for PowerMax 代码问题漏洞 — Unisphere for PowerMax 7.6 High2026-01-06
CVE-2025-68280 Apache SIS: XML External Entity (XXE) vulnerability — Apache SIS 5.3 -2026-01-05
CVE-2025-15251 beecue FastBee SIP Message ReqAbstractHandler.java getRootElement xml external entity reference — FastBee 5.6 Medium2025-12-30
CVE-2019-25253 KYOCERA Net Admin 3.4.0906 Unauthenticated XML External Entity Injection — KYOCERA Net Admin 7.5 High2025-12-24
CVE-2018-25142 NovaRad NovaPACS Diagnostics Viewer 8.5 XML External Entity Injection — NovaPACS Diagnostics Viewer 9.8 Critical2025-12-24
CVE-2024-58335 OpenXRechnungToolbox 代码问题漏洞 — OpenXRechnungToolbox 5.0 Medium2025-12-24
CVE-2025-68463 biopython 代码问题漏洞 — Biopython 4.9 Medium2025-12-18
CVE-2025-61813 ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — ColdFusion 8.2 High2025-12-09
CVE-2025-61821 ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — ColdFusion 6.8 Medium2025-12-09
CVE-2025-61823 ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — ColdFusion 6.2 Medium2025-12-09
CVE-2025-66516 Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected — Apache Tika core 8.4 High2025-12-04
CVE-2025-66370 kivitendo-erp 代码问题漏洞 — kivitendo 5.0 Medium2025-11-28
CVE-2025-66372 Mustangproject 代码问题漏洞 — Mustang 2.8 Low2025-11-28
CVE-2025-66371 Peppol-py 代码问题漏洞 — Peppol-py 5.0 Medium2025-11-28
CVE-2025-58360 GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature — geoserver 8.2 High2025-11-25
CVE-2025-13209 bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference — oa_git_free 6.3 Medium2025-11-15
CVE-2025-11700 N-central Multiple XXE Injection Vulnerabilities — N-central 7.5 -2025-11-12
CVE-2025-64518 CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection — cyclonedx-core-java 7.5 High2025-11-10
CVE-2025-10713 XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration — WSO2 Enterprise Integrator 6.5 Medium2025-11-05
CVE-2025-12531 IBM InfoSphere Information Server is affected by an XML external entity injection (XXE) vulnerability — InfoSphere Information Server 7.1 High2025-11-03
CVE-2025-46425 Dell Storage Manager和Dell Storage Center 代码问题漏洞 — Dell Storage Manager 6.5 Medium2025-10-24
CVE-2025-6985 XXE Vulnerability in langchain-ai/langchain — langchain-ai/langchain 7.5AIHighAI2025-10-06
CVE-2025-11341 Jinher OA type xml external entity reference — OA 7.3 High2025-10-06
CVE-2025-48006 Ashisuto DataSpider Servista 代码问题漏洞 — DataSpider Servista 9.1AICriticalAI2025-09-29

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.