CWE-643
AllowedImproper Neutralization of Data within XPath Expressions ('XPath Injection')
Abstraction: Base · Status: Incomplete
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
25 vulnerabilities reference this CWE, most recent first.
CVE-2023-24922 (GCVE-0-2023-24922)
Vulnerability from cvelistv5 – Published: 2023-03-14 16:55 – Updated: 2025-01-01 00:48- CWE-643 - Improper Neutralization of Data within XPath Expressions ('XPath Injection')
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Dynamics 365 (on-premises) version 9.0 |
Affected:
9.0.0 , < 9.0.45.11
(custom)
|
|
| Microsoft | Microsoft Dynamics 365 (on-premises) version 9.1 |
Affected:
9.0 , < 9.1.16.20
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:11:42.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Microsoft Dynamics 365 Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24922"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Microsoft Dynamics 365 (on-premises) version 9.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "9.0.45.11",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Microsoft Dynamics 365 (on-premises) version 9.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "9.1.16.20",
"status": "affected",
"version": "9.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*",
"versionEndExcluding": "9.0.45.11",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*",
"versionEndExcluding": "9.1.16.20",
"versionStartIncluding": "9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-03-14T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-643",
"description": "CWE-643: Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T00:48:13.214Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24922"
}
],
"title": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-24922",
"datePublished": "2023-03-14T16:55:32.750Z",
"dateReserved": "2023-01-31T20:37:47.253Z",
"dateUpdated": "2025-01-01T00:48:13.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43840 (GCVE-0-2022-43840)
Vulnerability from cvelistv5 – Published: 2025-04-14 20:43 – Updated: 2025-08-15 15:21- CWE-643 - Improper Neutralization of Data within XPath Expressions ('XPath Injection')
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7169766 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Aspera Console |
Affected:
3.4.0 , ≤ 3.4.4
(semver)
cpe:2.3:a:ibm:aspera_console:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:aspera_console:3.4.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T21:12:41.560281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-643",
"description": "CWE-643 Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:24:21.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_console:3.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:aspera_console:3.4.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Aspera Console",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "3.4.4",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Aspera Console 3.4.0 through 3.4.4\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eis vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document.\u003c/span\u003e"
}
],
"value": "IBM Aspera Console 3.4.0 through 3.4.4\n\nis vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-643",
"description": "CWE-643 Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T15:21:04.574Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7169766"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003eIt is recommended that customers upgrade to the latest version of IBM Aspera Console:\u003c/strong\u003e\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eFixing VRM\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003ePlatform\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLink to Fix\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Aspera Console\u003c/td\u003e\u003ctd\u003e\u003cdiv\u003e3.4.5\u003c/div\u003e\u003c/td\u003e\u003ctd\u003eWindows\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Other+software/IBM+Aspera+Console\u0026amp;release=All\u0026amp;platform=Windows\u0026amp;function=fixId\u0026amp;fixids=ibm-aspera-console-3.4.5.132-d94da33-windows-32\u0026amp;includeRequisites=1\u0026amp;includeSupersedes=0\u0026amp;downloadMethod=http\"\u003eclick here\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Aspera Console\u003c/td\u003e\u003ctd\u003e\u003cdiv\u003e3.4.5\u003c/div\u003e\u003c/td\u003e\u003ctd\u003eLinux\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EOther%20software\u0026amp;product=ibm/Other+software/IBM+Aspera+Console\u0026amp;release=All\u0026amp;platform=Linux\u0026amp;function=fixId\u0026amp;fixids=ibm-aspera-console-3.4.5.31-65f2112.x86_64\u0026amp;includeRequisites=1\u0026amp;includeSupersedes=0\u0026amp;downloadMethod=http\"\u003eclick here\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
}
],
"value": "It is recommended that customers upgrade to the latest version of IBM Aspera Console:\n\nProduct(s)Fixing VRMPlatformLink to FixIBM Aspera Console3.4.5\n\nWindows click here https://www.ibm.com/support/fixcentral/swg/downloadFixes IBM Aspera Console3.4.5\n\nLinux click here https://www.ibm.com/support/fixcentral/swg/downloadFixes"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Aspera Console XPath injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-43840",
"datePublished": "2025-04-14T20:43:28.652Z",
"dateReserved": "2022-10-26T15:46:22.820Z",
"dateUpdated": "2025-08-15T15:21:04.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25162 (GCVE-0-2020-25162)
Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29- CWE-643 - XPath Injection
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsma-… | x_refsource_CONFIRM |
| https://www.bbraun.com/en/products-and-therapies/… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| B. Braun Melsungen AG | SpaceCom |
Affected:
unspecified , ≤ U61
(custom)
Affected: unspecified , ≤ L81 (custom) |
|
| B. Braun Melsungen AG | Battery pack with Wi-Fi |
Affected:
unspecified , ≤ U61
(custom)
Affected: unspecified , ≤ L81 (custom) |
|
| B. Braun Melsungen AG | Data module compactplus |
Affected:
A10
Affected: A11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-25162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:57:38.755895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:29:59.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SpaceCom",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "U61",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "L81",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Battery pack with Wi-Fi",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"lessThanOrEqual": "U61",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "L81",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Data module compactplus",
"vendor": "B. Braun Melsungen AG",
"versions": [
{
"status": "affected",
"version": "A10"
},
{
"status": "affected",
"version": "A11"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
}
],
"descriptions": [
{
"lang": "en",
"value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-643",
"description": "CWE-643: XPath Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T20:05:57.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
}
],
"solutions": [
{
"lang": "en",
"value": "B. Braun recommends applying updates:\n\n SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
"workarounds": [
{
"lang": "en",
"value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n Ensure the devices are not accessible directly from the Internet.\n Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-25162",
"STATE": "PUBLIC",
"TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SpaceCom",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "U61"
},
{
"version_affected": "\u003c=",
"version_value": "L81"
}
]
}
},
{
"product_name": "Battery pack with Wi-Fi",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "U61"
},
{
"version_affected": "\u003c=",
"version_value": "L81"
}
]
}
},
{
"product_name": "Data module compactplus",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "A10"
},
{
"version_affected": "=",
"version_value": "A11"
}
]
}
}
]
},
"vendor_name": "B. Braun Melsungen AG"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-643: XPath Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
},
{
"name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
"refsource": "CONFIRM",
"url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "B. Braun recommends applying updates:\n\n SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n Ensure the devices are not accessible directly from the Internet.\n Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory. https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25162",
"datePublished": "2022-04-14T20:05:57.000Z",
"dateReserved": "2020-09-04T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:29:59.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2785-QQ7P-X3CJ
Vulnerability from github – Published: 2026-05-29 18:31 – Updated: 2026-05-29 18:31Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2026-44962"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T16:16:27Z",
"severity": "CRITICAL"
},
"details": "Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.",
"id": "GHSA-2785-qq7p-x3cj",
"modified": "2026-05-29T18:31:34Z",
"published": "2026-05-29T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44962"
},
{
"type": "WEB",
"url": "https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-38MG-WM59-G64X
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 03:24A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the contents of any file in the system by exploiting the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "composio-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8955"
],
"database_specific": {
"cwe_ids": [
"CWE-643",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T03:24:41Z",
"nvd_published_at": "2025-03-20T10:15:45Z",
"severity": "MODERATE"
},
"details": "A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the contents of any file in the system by exploiting the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions.",
"id": "GHSA-38mg-wm59-g64x",
"modified": "2025-03-21T03:24:41Z",
"published": "2025-03-20T12:32:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8955"
},
{
"type": "PACKAGE",
"url": "https://github.com/ComposioHQ/composio"
},
{
"type": "WEB",
"url": "https://github.com/ComposioHQ/composio/blob/master/python/composio/tools/local/browsertool/actions/goto_page.py#L1"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/13bc0399-2d9b-449e-95f2-6e9a7e39383d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "composio allows Server-Side Request Forgery (SSRF) in BROWSERTOOL"
}
GHSA-429C-H8F6-FCQ6
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2026-40699"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:43Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-429c-h8f6-fcq6",
"modified": "2026-05-13T18:30:55Z",
"published": "2026-05-13T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40699"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000156734"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8MF9-RMGW-33QC
Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2025-10-22 19:38Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "smolagents"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-11844"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-22T19:38:34Z",
"nvd_published_at": "2025-10-22T14:15:49Z",
"severity": "MODERATE"
},
"details": "Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.",
"id": "GHSA-8mf9-rmgw-33qc",
"modified": "2025-10-22T19:38:34Z",
"published": "2025-10-22T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11844"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/smolagents/commit/f570ed5e17999d4cf7d5e79c2830fbaefab8a794"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/smolagents"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/01ab4405-9bca-4b26-b7a3-5ca1863a69b4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function"
}
GHSA-9XG8-VX2W-7C89
Vulnerability from github – Published: 2024-07-11 00:32 – Updated: 2024-07-11 00:32An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device.
While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device. This issue affects Junos OS:
- All versions before 21.2R3-S8,
- from 21.4 before 21.4R3-S7,
- from 22.2 before 22.2R3-S4,
- from 22.3 before 22.3R3-S3,
- from 22.4 before 22.4R3-S2,
- from 23.2 before 23.2R2,
- from 23.4 before 23.4R1-S1, 23.4R2.
{
"affected": [],
"aliases": [
"CVE-2024-39565"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T23:15:13Z",
"severity": "HIGH"
},
"details": "An Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027) vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to\u00a0execute\u00a0remote commands on the target device.\u00a0\n\nWhile an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user\u0027s credentials. In the worst case, the attacker will have full control over the device.\nThis issue affects Junos OS:\u00a0\n\n\n\n * All versions before 21.2R3-S8,\u00a0\n * from 21.4 before 21.4R3-S7,\n * from 22.2 before 22.2R3-S4,\n * from 22.3 before 22.3R3-S3,\n * from 22.4 before 22.4R3-S2,\n * from 23.2 before 23.2R2,\n * from 23.4 before 23.4R1-S1, 23.4R2.",
"id": "GHSA-9xg8-vx2w-7c89",
"modified": "2024-07-11T00:32:51Z",
"published": "2024-07-11T00:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39565"
},
{
"type": "WEB",
"url": "https://support.juniper.net/support/downloads/?p=283"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA83023"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-C94C-G2HM-XG4P
Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2024-03-20 15:32A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of the argument username leads to improper neutralization of data within xpath expressions. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257286 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-2648"
],
"database_specific": {
"cwe_ids": [
"CWE-643",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-19T23:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of the argument username leads to improper neutralization of data within xpath expressions. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257286 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-c94c-g2hm-xg4p",
"modified": "2024-03-20T15:32:25Z",
"published": "2024-03-20T15:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2648"
},
{
"type": "WEB",
"url": "https://github.com/flyyue2001/cve/blob/main/NS-ASG-sql-naccheck.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.257286"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.257286"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GJ57-W9C9-X3X9
Vulnerability from github – Published: 2025-04-14 21:32 – Updated: 2025-04-14 21:32IBM Aspera Console 3.4.0 through 3.4.4
is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document.
{
"affected": [],
"aliases": [
"CVE-2022-43840"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T21:15:16Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Console 3.4.0 through 3.4.4\n\nis vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document.",
"id": "GHSA-gj57-w9c9-x3x9",
"modified": "2025-04-14T21:32:24Z",
"published": "2025-04-14T21:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43840"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7169766"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.
Mitigation
Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.
No CAPEC attack patterns related to this CWE.