Vulnerabilities (CVE)

Filtered by CWE-611
Total 1114 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-4641 2025-05-16 N/A N/A
Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.0.2.
CVE-2025-22478 1 Dell 1 Storage Manager 2025-05-13 N/A 8.1 HIGH
Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.
CVE-2025-30018 2025-05-13 N/A 8.6 HIGH
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.
CVE-2024-51445 2025-05-13 N/A 6.5 MEDIUM
A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server.
CVE-2025-34490 1 Gfi 1 Mailessentials 2025-05-10 N/A 6.5 MEDIUM
GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.
CVE-2024-22024 1 Ivanti 3 Connect Secure, Policy Secure, Zero Trust Access 2025-05-09 N/A 8.3 HIGH
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
CVE-2022-43415 1 Jenkins 1 Repo 2025-05-09 N/A 7.5 HIGH
Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-43430 1 Jenkins 1 Compuware Topaz For Total Test 2025-05-08 N/A 7.5 HIGH
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-31678 1 Vmware 2 Cloud Foundation, Nsx Data Center 2025-05-08 N/A 9.1 CRITICAL
VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.
CVE-2025-2776 2025-05-08 N/A 9.3 CRITICAL
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
CVE-2025-2777 2025-05-08 N/A 9.3 CRITICAL
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
CVE-2025-2775 2025-05-08 N/A 9.3 CRITICAL
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
CVE-2018-4942 1 Adobe 1 Coldfusion 2025-05-06 5.0 MEDIUM 7.5 HIGH
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure.
CVE-2025-46726 2025-05-05 N/A N/A
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information. Version 0.53.4 fixes the issue.
CVE-2025-2905 2025-05-05 N/A 9.1 CRITICAL
An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption.
CVE-2022-21220 1 Intel 1 Quartus Prime 2025-05-05 4.6 MEDIUM 7.8 HIGH
Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-21205 1 Intel 1 Quartus Prime 2025-05-05 5.0 MEDIUM 7.5 HIGH
Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access.
CVE-2020-25020 2 Mpxj, Oracle 2 Mpxj, Primavera Unifier 2025-05-05 7.5 HIGH 9.8 CRITICAL
MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.
CVE-2022-40747 3 Ibm, Linux, Microsoft 4 Aix, Infosphere Information Server, Linux Kernel and 1 more 2025-05-05 N/A 9.1 CRITICAL
"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584."
CVE-2022-37911 1 Arubanetworks 2 Arubaos, Sd-wan 2025-05-02 N/A 3.8 LOW
Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.