Total
1158 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-50848 | 1 Rws | 1 Worldserver | 2025-06-17 | N/A | 6.5 MEDIUM |
| An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file. | |||||
| CVE-2023-26999 | 1 Netscout | 1 Ngeniusone | 2025-06-16 | N/A | 9.8 CRITICAL |
| An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. | |||||
| CVE-2025-31039 | 2025-06-12 | N/A | 9.1 CRITICAL | ||
| Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2. | |||||
| CVE-2025-44044 | 2025-06-12 | N/A | 7.5 HIGH | ||
| Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system. | |||||
| CVE-2025-23195 | 1 Apache | 1 Ambari | 2025-06-09 | N/A | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch. | |||||
| CVE-2024-22380 | 1 Maff | 1 Electronic Delivery Check System | 2025-06-05 | N/A | 5.5 MEDIUM |
| Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2025-48882 | 2025-06-02 | N/A | N/A | ||
| PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability. | |||||
| CVE-2024-23525 | 1 Tozt | 1 Spreadsheet\ | 2025-06-02 | N/A | 6.5 MEDIUM |
| The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig. | |||||
| CVE-2018-20843 | 7 Canonical, Debian, Fedoraproject and 4 more | 9 Ubuntu Linux, Debian Linux, Fedora and 6 more | 2025-05-30 | 7.8 HIGH | 7.5 HIGH |
| In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). | |||||
| CVE-2023-28152 | 1 Independentsoft | 1 Jword | 2025-05-30 | N/A | 5.3 MEDIUM |
| An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | |||||
| CVE-2023-28151 | 1 Independentsoft | 1 Jspreadsheet | 2025-05-30 | N/A | 5.3 MEDIUM |
| An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | |||||
| CVE-2023-28150 | 1 Independentsoft | 1 Jodf | 2025-05-30 | N/A | 5.3 MEDIUM |
| An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | |||||
| CVE-2022-41226 | 1 Jenkins | 1 Compuware Common Configuration | 2025-05-28 | N/A | 9.8 CRITICAL |
| Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-41241 | 1 Jenkins | 1 Rqm | 2025-05-28 | N/A | 9.1 CRITICAL |
| Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2025-4338 | 2025-05-23 | N/A | 6.8 MEDIUM | ||
| Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application. | |||||
| CVE-2022-34348 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2025-05-22 | N/A | 7.1 HIGH |
| IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017. | |||||
| CVE-2019-0948 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2025-05-20 | 4.3 MEDIUM | 4.7 MEDIUM |
| An information disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration. To exploit the vulnerability, an attacker could create a file containing specially crafted XML content and convince an authenticated user to import the file. The update addresses the vulnerability by modifying the way that the Event Viewer parses XML input. | |||||
| CVE-2025-4639 | 2025-05-16 | N/A | N/A | ||
| CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos. This issue affects Peergos through version 1.1.0. | |||||
| CVE-2025-47778 | 2025-05-16 | N/A | N/A | ||
| Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually. | |||||
| CVE-2025-4641 | 2025-05-16 | N/A | N/A | ||
| Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.0.2. | |||||