CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-X45M-W2H7-RX2R
Vulnerability from github – Published: 2022-05-14 01:56 – Updated: 2022-05-14 01:56An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8533.
{
"affected": [],
"aliases": [
"CVE-2018-8532"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-10T13:29:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka \"SQL Server Management Studio Information Disclosure Vulnerability.\" This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8533.",
"id": "GHSA-x45m-w2h7-rx2r",
"modified": "2022-05-14T01:56:13Z",
"published": "2022-05-14T01:56:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8532"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45587"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105475"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041826"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X499-PM58-Q38P
Vulnerability from github – Published: 2025-07-08 21:30 – Updated: 2025-07-08 21:30ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
{
"affected": [],
"aliases": [
"CVE-2025-49535"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T21:15:26Z",
"severity": "CRITICAL"
},
"details": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.",
"id": "GHSA-x499-pm58-q38p",
"modified": "2025-07-08T21:30:28Z",
"published": "2025-07-08T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49535"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X4CF-86PP-49RW
Vulnerability from github – Published: 2022-05-14 02:19 – Updated: 2022-05-14 02:19JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d.
{
"affected": [],
"aliases": [
"CVE-2018-1000652"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-20T19:31:00Z",
"severity": "CRITICAL"
},
"details": "JabRef version \u003c=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d.",
"id": "GHSA-x4cf-86pp-49rw",
"modified": "2022-05-14T02:19:25Z",
"published": "2022-05-14T02:19:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000652"
},
{
"type": "WEB",
"url": "https://github.com/JabRef/jabref/issues/4229"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/08/08/JabRef-XXE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X4Q2-P9FR-44FF
Vulnerability from github – Published: 2022-12-28 21:30 – Updated: 2023-01-06 18:30A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-4818"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-28T21:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.",
"id": "GHSA-x4q2-p9fr-44ff",
"modified": "2023-01-06T18:30:22Z",
"published": "2022-12-28T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4818"
},
{
"type": "WEB",
"url": "https://github.com/Talend/tmdm-server-se/pull/1598"
},
{
"type": "WEB",
"url": "https://github.com/Talend/tmdm-server-se/commit/95590db2ad6a582c371273ceab1a73ad6ed47853"
},
{
"type": "WEB",
"url": "https://github.com/Talend/tmdm-server-se/releases/tag/snap%2Fmaster%2F20221220_1938"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.216997"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216997"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X4R9-GMW3-HXWW
Vulnerability from github – Published: 2026-06-12 18:23 – Updated: 2026-06-12 18:23Summary
A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).
Details
This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):
Impact
This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.
Workaround
GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Resources
https://osgeo-org.atlassian.net/browse/GEOS-11867 https://github.com/geoserver/geoserver/pull/8622
Credits:
- Le Mau Anh Phong at Verichains Cyber Force
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.27.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.27.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58175"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T18:23:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).\n\n### Details\nThis vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0):\n\n### Impact\nThis vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.\n\n### Workaround\nGeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., `https://somesite.org` instead of `https://somesite.org/` or `https://somesite.org/geoserver`). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.\n\n### Resources\nhttps://osgeo-org.atlassian.net/browse/GEOS-11867\nhttps://github.com/geoserver/geoserver/pull/8622\n\n### Credits:\n- Le Mau Anh Phong at Verichains Cyber Force",
"id": "GHSA-x4r9-gmw3-hxww",
"modified": "2026-06-12T18:23:35Z",
"published": "2026-06-12T18:23:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-x4r9-gmw3-hxww"
},
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/pull/8622"
},
{
"type": "PACKAGE",
"url": "https://github.com/geoserver/geoserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution"
}
GHSA-X58J-J539-W8MV
Vulnerability from github – Published: 2022-10-24 19:00 – Updated: 2023-08-03 22:54** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29421, GHSA-ccgm-3xw4-h5p8. Reason: This candidate is a duplicate of CVE-2021-29421. Notes: All CVE users should reference CVE-2021-29421 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pikepdf"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "2.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-46849"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T22:53:44Z",
"nvd_published_at": "2022-10-24T14:15:00Z",
"severity": "CRITICAL"
},
"details": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29421, GHSA-ccgm-3xw4-h5p8. Reason: This candidate is a duplicate of CVE-2021-29421. Notes: All CVE users should reference CVE-2021-29421 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.",
"id": "GHSA-x58j-j539-w8mv",
"modified": "2023-08-03T22:54:04Z",
"published": "2022-10-24T19:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46849"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/779475"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-ccgm-3xw4-h5p8"
},
{
"type": "WEB",
"url": "https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Improper Restriction of XML External Entity Reference in pikepdf",
"withdrawn": "2023-08-03T22:53:44Z"
}
GHSA-X58R-WXC3-7PQR
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-10-27 11:43Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "2.11"
},
{
"fixed": "2.12"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.11"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "2.10"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.10"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "2.9"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.9"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:mercurial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2305"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-23T23:20:09Z",
"nvd_published_at": "2020-11-04T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nMercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.",
"id": "GHSA-x58r-wxc3-7pqr",
"modified": "2023-10-27T11:43:00Z",
"published": "2022-05-24T17:33:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2305"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/mercurial-plugin/commit/84af58b08f80bb92792f7bc04a31487f3eeee95a"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2305.json"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/mercurial-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Mercurial Plugin"
}
GHSA-X5QJ-644J-7XC7
Vulnerability from github – Published: 2022-05-14 01:33 – Updated: 2025-04-12 13:00ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
{
"affected": [],
"aliases": [
"CVE-2015-8866"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-05-22T01:59:00Z",
"severity": "CRITICAL"
},
"details": "ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.",
"id": "GHSA-x5qj-644j-7xc7",
"modified": "2025-04-12T13:00:20Z",
"published": "2022-05-14T01:33:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8866"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=64938"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=de31324c221c1791b26350ba106cc26bad23ace9"
},
{
"type": "WEB",
"url": "http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2750.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/04/24/1"
},
{
"type": "WEB",
"url": "http://www.php.net/ChangeLog-5.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/87470"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2952-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2952-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X64M-686F-FMM3
Vulnerability from github – Published: 2022-05-17 05:09 – Updated: 2024-05-21 20:17The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-1665"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-21T20:17:46Z",
"nvd_published_at": "2013-04-03T00:55:00Z",
"severity": "MODERATE"
},
"details": "The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
"id": "GHSA-x64m-686f-fmm3",
"modified": "2024-05-21T20:17:47Z",
"published": "2022-05-17T05:09:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1665"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1100279"
},
{
"type": "WEB",
"url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"
},
{
"type": "WEB",
"url": "http://bugs.python.org/issue17239"
},
{
"type": "WEB",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-1757-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2013/dsa-2634"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "XML External Entity (XXE) in Django"
}
GHSA-X6G4-FWCC-JJ8W
Vulnerability from github – Published: 2026-05-27 21:09 – Updated: 2026-05-27 21:09Description
symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit's HttpBrowser uses it to parse fetched pages.
Crawler::addXmlContent() sets DOMDocument::$validateOnParse = true before calling loadXML(). Setting validateOnParse re-enables libxml's DTD subset processing, including external entity resolution, even though LIBXML_NONET is passed. LIBXML_NONET blocks network fetches but not file:// entities. An attacker-supplied XML document with a SYSTEM "file:///etc/passwd" entity is therefore expanded.
Resolution
The Crawler::addXmlContent method does not set the validateOnParse flag anymore.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/dom-crawler"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45071"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T21:09:44Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`symfony/dom-crawler` provides the `Crawler` class for navigating HTML/XML documents with CSS/XPath selectors; `symfony/browser-kit`\u0027s `HttpBrowser` uses it to parse fetched pages.\n\n`Crawler::addXmlContent()` sets `DOMDocument::$validateOnParse = true` before calling `loadXML()`. Setting `validateOnParse` re-enables libxml\u0027s DTD subset processing, including external entity resolution, even though `LIBXML_NONET` is passed. `LIBXML_NONET` blocks **network** fetches but not `file://` entities. An attacker-supplied XML document with a `SYSTEM \"file:///etc/passwd\"` entity is therefore expanded.\n\n### Resolution\n\nThe `Crawler::addXmlContent` method does not set the `validateOnParse` flag anymore.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.",
"id": "GHSA-x6g4-fwcc-jj8w",
"modified": "2026-05-27T21:09:45Z",
"published": "2026-05-27T21:09:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.