Total
1113 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2776 | 1 Sysaid | 1 Sysaid | 2025-06-27 | N/A | 9.3 CRITICAL |
| SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives. | |||||
| CVE-2025-2775 | 1 Sysaid | 1 Sysaid | 2025-06-27 | N/A | 9.3 CRITICAL |
| SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives. | |||||
| CVE-2025-2777 | 1 Sysaid | 1 Sysaid | 2025-06-27 | N/A | 9.3 CRITICAL |
| SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives. | |||||
| CVE-2025-52888 | 2025-06-26 | N/A | 7.5 HIGH | ||
| Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue. | |||||
| CVE-2025-36049 | 2025-06-23 | N/A | 8.8 HIGH | ||
| IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. | |||||
| CVE-2025-47293 | 2025-06-23 | N/A | N/A | ||
| PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2. | |||||
| CVE-2025-33121 | 2025-06-23 | N/A | 7.1 HIGH | ||
| IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2024-21765 | 1 Cals-ed | 2 Electronic Delivery Check System, Electronic Delivery Item Inspection Support System | 2025-06-20 | N/A | 5.5 MEDIUM |
| Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2023-52239 | 1 Magicsoftware | 1 Magic Xpi Integration Platform | 2025-06-17 | N/A | 6.5 MEDIUM |
| The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport. | |||||
| CVE-2025-4949 | 1 Eclipse | 1 Jgit | 2025-06-17 | N/A | 9.8 CRITICAL |
| In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues. | |||||
| CVE-2024-50848 | 1 Rws | 1 Worldserver | 2025-06-17 | N/A | 6.5 MEDIUM |
| An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file. | |||||
| CVE-2023-26999 | 1 Netscout | 1 Ngeniusone | 2025-06-16 | N/A | 9.8 CRITICAL |
| An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. | |||||
| CVE-2025-31039 | 2025-06-12 | N/A | 9.1 CRITICAL | ||
| Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2. | |||||
| CVE-2025-5877 | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in Fengoffice Feng Office 3.2.2.1. Affected by this issue is some unknown functionality of the file /application/models/ApplicationDataObject.class.php of the component Document Upload Handler. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-34711 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
| GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property. | |||||
| CVE-2025-30220 | 2025-06-12 | N/A | 9.9 CRITICAL | ||
| GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13. | |||||
| CVE-2025-44044 | 2025-06-12 | N/A | 7.5 HIGH | ||
| Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system. | |||||
| CVE-2025-23195 | 1 Apache | 1 Ambari | 2025-06-09 | N/A | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch. | |||||
| CVE-2025-1225 | 1 Yimihome | 1 Ywoa | 2025-06-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03. This issue affects the function extract of the file c-main/src/main/java/com/redmoon/weixin/aes/XMLParse.java of the component WXCallBack Interface. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2024-22380 | 1 Maff | 1 Electronic Delivery Check System | 2025-06-05 | N/A | 5.5 MEDIUM |
| Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||