Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2025-11140 Bjskzy Zhiyou ERP com.artery.richclient.RichClientService openForm xml external entity reference — Zhiyou ERP 7.3 High2025-09-29
CVE-2025-11035 Jinher OA text xml external entity reference — OA 6.3 Medium2025-09-26
CVE-2025-10816 Jinher OA XML text xml external entity reference — OA 7.3 High2025-09-22
CVE-2025-10183 XML External Entity Injection in TecConnect 4.1 — TecConnect 9.1 Critical2025-09-09
CVE-2025-10092 Jinher OA XML Type xml external entity reference — OA 7.3 High2025-09-08
CVE-2025-10091 Jinher OA XML Type xml external entity reference — OA 7.3 High2025-09-08
CVE-2023-7307 Sangfor Behavior Management System XML External Entity Injection — Sangfor Behavior Management System (DC Management System) 9.8AICriticalAI2025-08-27
CVE-2025-35112 Agiloft XML external entity local path traversal — Agiloft 4.1 Medium2025-08-26
CVE-2025-57704 EIP Builder XML External Entity Processing Information Disclosure Vulnerability — EIP Builder 5.5 Medium2025-08-26
CVE-2025-54988 Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA — Apache Tika PDF parser module 8.4 High2025-08-20
CVE-2025-4044 XML External Entity Injection vulnerability in various Lexmark Universal Drivers — Universal Print Driver 8.2 High2025-08-19
CVE-2025-26484 Dell CloudLink 代码问题漏洞 — CloudLink 5.5 Medium2025-08-14
CVE-2025-40584 Siemens多款产品 代码问题漏洞 — SIMOTION SCOUT TIA V5.4 5.5 Medium2025-08-12
CVE-2025-54992 OpenKilda XXE in SAML configuration — open-kilda 7.5AIHighAI2025-08-11
CVE-2025-8355 XXE leading to SSRF — FreeFlow Core 7.5 High2025-08-08
CVE-2025-54254 Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — Adobe Experience Manager 8.6 High2025-08-05
CVE-2025-36608 Dell SmartFabric OS10 Software 代码问题漏洞 — SmartFabric OS10 Software 6.5 Medium2025-07-30
CVE-2025-26400 SolarWinds Web Help Desk XML External Entity Injection (XXE) Vulnerability — Web Help Desk 5.3 Medium2025-07-29
CVE-2025-54445 SAMSUNG MagicINFO 9 Server 安全漏洞 — MagicINFO 9 Server 8.2 High2025-07-23
CVE-2025-7766 Lantronix Provisioning Manager Improper Restriction of XML External Entity Reference — Provisioning Manager 8.0 High2025-07-22
CVE-2025-34142 ETQ Reliance CG < SE.2025.1 / < 2025.1.2 XXE Injection in SSO SAML Handler — Reliance CG (legacy) 9.1 -2025-07-22
CVE-2025-36603 Dell AppSync 代码问题漏洞 — AppSync 4.2 Medium2025-07-21
CVE-2025-7824 Jinher OA XmlHttp.aspx xml external entity reference — OA 7.3 High2025-07-19
CVE-2025-7823 Jinher OA ProjectScheduleDelete.aspx xml external entity reference — OA 7.3 High2025-07-19
CVE-2025-53621 DSpace vulnerable to XML External Entity (XXE) injection in import via Simple Archive Format (SAF) or import from external sources — DSpace 6.9 Medium2025-07-15
CVE-2025-53689 Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons — Apache Jackrabbit 9.8 -2025-07-14
CVE-2025-7523 Jinher OA DelTemp.aspx xml external entity reference — OA 7.3 High2025-07-13
CVE-2025-6438 Schneider Electric EcoStruxure IT Data Center Expert 代码问题漏洞 — EcoStruxure™ IT Data Center Expert 8.1AIHighAI2025-07-11
CVE-2025-49535 ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — ColdFusion 9.3 Critical2025-07-08
CVE-2025-49539 ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — ColdFusion 4.5 Medium2025-07-08

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.