CWE-643
AllowedImproper Neutralization of Data within XPath Expressions ('XPath Injection')
Abstraction: Base · Status: Incomplete
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
25 vulnerabilities reference this CWE, most recent first.
GHSA-GWCC-J6R9-59P8
Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2024-03-20 15:32A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /vpnweb/resetpwd/resetpwd.php. The manipulation of the argument UserId leads to improper neutralization of data within xpath expressions. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257283. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-2645"
],
"database_specific": {
"cwe_ids": [
"CWE-643",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-19T23:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /vpnweb/resetpwd/resetpwd.php. The manipulation of the argument UserId leads to improper neutralization of data within xpath expressions. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257283. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-gwcc-j6r9-59p8",
"modified": "2024-03-20T15:32:25Z",
"published": "2024-03-20T15:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2645"
},
{
"type": "WEB",
"url": "https://github.com/flyyue2001/cve/blob/main/NS-ASG-sql-laddfirewall.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.257283"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.257283"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JR4C-VCM8-65VH
Vulnerability from github – Published: 2026-02-10 12:30 – Updated: 2026-02-10 18:30Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-24343"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T10:15:59Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027) vulnerability in Apache HertzBeat.\n\nThis issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.",
"id": "GHSA-jr4c-vcm8-65vh",
"modified": "2026-02-10T18:30:36Z",
"published": "2026-02-10T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24343"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/b2k3jqwffrbo2sy6bl4n0f68kp8bfo1n"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/02/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M67R-C84W-9M53
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-22 00:00A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2020-25162"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-14T21:15:00Z",
"severity": "HIGH"
},
"details": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.",
"id": "GHSA-m67r-c84w-9m53",
"modified": "2022-04-22T00:00:46Z",
"published": "2022-04-15T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25162"
},
{
"type": "WEB",
"url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7VR-WG3F-8HR9
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 16:53Concrete5 CMS version 9.1.3 contains an XPath injection vulnerability that allows attackers to manipulate URL path parameters with malicious payloads. Attackers can flood the system with crafted requests to potentially extract internal content paths and system information.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"versions": [
"9.1.3"
]
}
],
"aliases": [
"CVE-2022-50807"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-14T16:53:51Z",
"nvd_published_at": "2026-01-13T23:15:50Z",
"severity": "MODERATE"
},
"details": "Concrete5 CMS version 9.1.3 contains an XPath injection vulnerability that allows attackers to manipulate URL path parameters with malicious payloads. Attackers can flood the system with crafted requests to potentially extract internal content paths and system information.",
"id": "GHSA-r7vr-wg3f-8hr9",
"modified": "2026-01-14T16:53:51Z",
"published": "2026-01-14T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50807"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
},
{
"type": "WEB",
"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3"
},
{
"type": "WEB",
"url": "https://www.concretecms.org"
},
{
"type": "WEB",
"url": "https://www.concretecms.org/download"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51144"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/concrete-cme-xpath-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Concrete5 CMS contains an XPath injection vulnerability"
}
GHSA-WXR2-PWC5-7WGV
Vulnerability from github – Published: 2025-08-14 18:31 – Updated: 2025-08-14 18:31A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to retrieve sensitive information from an affected device.
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.
{
"affected": [],
"aliases": [
"CVE-2025-20218"
],
"database_specific": {
"cwe_ids": [
"CWE-643"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T17:15:35Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to retrieve sensitive information from an affected device.\n\nThis vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the affected device.\nTo exploit this vulnerability, the attacker must have valid administrative credentials.",
"id": "GHSA-wxr2-pwc5-7wgv",
"modified": "2025-08-14T18:31:29Z",
"published": "2025-08-14T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20218"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xpathinj-COrThdMb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.
Mitigation
Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.
No CAPEC attack patterns related to this CWE.