Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2025-49544 ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — ColdFusion 6.8 Medium2025-07-08
CVE-2025-49493 Akamai CloudTest 代码问题漏洞 — CloudTest 5.8 Medium2025-06-30
CVE-2025-52888 Allure 2's xunit-xml-plugin Vulnerable to Improper XXE Restriction — allure2 7.5 High2025-06-24
CVE-2025-47293 PowSyBl Core XML Reader allows XXE and SSRF — powsybl-core 6.5AIMediumAI2025-06-19
CVE-2025-33121 IBM QRadar SIEM XML external entity injection — QRadar SIEM 7.1 High2025-06-19
CVE-2025-36049 IBM webMethods Integration Sever XML external entity injection — webMethods Integration Server 8.8 High2025-06-18
CVE-2025-30220 GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling — geoserver 9.9 Critical2025-06-10
CVE-2025-31039 WordPress Category Icon plugin <= 1.0.3 - XML External Entity (XXE) vulnerability — Category Icon 9.1 Critical2025-06-09
CVE-2025-5877 Fengoffice Feng Office Document Upload ApplicationDataObject.class.php xml external entity reference — Feng Office 6.3 Medium2025-06-09
CVE-2025-48882 PHPOffice Math allows XXE when processing an XML file in the MathML format — Math 9.8AICriticalAI2025-05-30
CVE-2025-4338 Lantronix Device Installer Improper Restriction of XML External Entity Reference — Device Installer 6.8 Medium2025-05-22
CVE-2025-4949 XXE vulnerability in Eclipse JGit — Eclipse JGit 9.8AICriticalAI2025-05-21
CVE-2025-27523 XXE vulnerability in JP1/IT Desktop Management 2 - Smart Device Manager — JP1/IT Desktop Management 2 - Smart Device Manager 8.7 High2025-05-15
CVE-2025-4641 XML External Entity (XXE) injection vulnerability in WebDriverManager — webdrivermanager 7.5AIHighAI2025-05-14
CVE-2025-4639 Improper Restriction of XML External Entity Reference in Peergos — Peergos 9.1AICriticalAI2025-05-14
CVE-2025-47778 Sulu vulnerable to XXE in SVG File upload Inspector — sulu 3.8AILowAI2025-05-14
CVE-2024-51445 Siemens Polarion 代码问题漏洞 — Polarion V2310 6.5 Medium2025-05-13
CVE-2025-30018 Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) — SAP Supplier Relationship Management (Live Auction Cockpit) 8.6 High2025-05-13
CVE-2025-2777 SysAid On-Prem <= 23.3.40 lshw Proceessing XML External Entity Injection — SysAid On-Prem 9.3 Critical2025-05-07
CVE-2025-2776 SysAid On-Prem <= 23.3.40 serverurl Proceessing XML External Entity Injection — SysAid On-Prem 9.3 Critical2025-05-07
CVE-2025-2775 SysAid On-Prem <= 23.3.40 Checkin Proceessing XML External Entity Injection — SysAid On-Prem 9.3 Critical2025-05-07
CVE-2025-22478 Dell Storage Manager 代码问题漏洞 — Dell Storage Center - Dell Storage Manager 8.1 High2025-05-06
CVE-2025-46726 Langroid Vulnerable to XXE Injection via XMLToolMessage — langroid 8.1AIHighAI2025-05-05
CVE-2025-2905 An XML External Entity (XXE) vulnerability in Multiple WSO2 Products — WSO2 API Manager 9.1 Critical2025-05-05
CVE-2025-34490 GFI MailEssentials < 21.8 XXE Arbitrary File Read — MailEssentials 6.5 Medium2025-04-28
CVE-2025-2070 Lenovo Filez 代码问题漏洞 — Client 5.0 Medium2025-04-25
CVE-2025-24911 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference — Pentaho Business Analytics Server 4.9 Medium2025-04-16
CVE-2025-24910 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference — Pentaho Business Analytics Server 4.9 Medium2025-04-16
CVE-2025-31497 TEIGarage XML External Entity (XXE) Injection in Document Conversion Service — TEIGarage 7.5 High2025-04-15
CVE-2025-32406 Nakivo Backup & Replication 代码问题漏洞 — Backup & Replication Director 8.6 High2025-04-08

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.