Common Weakness Enumeration

CWE-91

Allowed-with-Review

XML Injection (aka Blind XPath Injection)

Abstraction: Base · Status: Draft

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

190 vulnerabilities reference this CWE, most recent first.

GHSA-JX9G-7QH9-QWJ2

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-06-01 00:00
VLAI
Details

A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787",
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-13T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT\u0026T Labs\u2019 Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.",
  "id": "GHSA-jx9g-7qh9-qwj2",
  "modified": "2022-06-01T00:00:25Z",
  "published": "2022-05-24T22:28:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21830"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1293"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXXQ-V434-PMG5

Vulnerability from github – Published: 2025-11-10 00:30 – Updated: 2025-11-10 00:30
VLAI
Details

A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T00:15:44Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-jxxq-v434-pmg5",
  "modified": "2025-11-10T00:30:24Z",
  "published": "2025-11-10T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md#poc"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.331641"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.331641"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.680872"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M3P3-XHRF-JXM7

Vulnerability from github – Published: 2023-05-18 09:30 – Updated: 2024-04-04 04:14
VLAI
Details

Umbraco CMS 7.12.4 allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-18T07:15:08Z",
    "severity": "HIGH"
  },
  "details": "Umbraco CMS 7.12.4 allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.",
  "id": "GHSA-m3p3-xhrf-jxm7",
  "modified": "2024-04-04T04:14:15Z",
  "published": "2023-05-18T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25137"
    },
    {
      "type": "WEB",
      "url": "https://0xdf.gitlab.io/2020/09/05/htb-remote.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Ickarah/CVE-2019-25137-Version-Research"
    },
    {
      "type": "WEB",
      "url": "https://github.com/noraj/Umbraco-RCE"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46153"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF9J-RPWF-5XGF

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 211402.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-02T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 211402.",
  "id": "GHSA-mf9j-rpwf-5xgf",
  "modified": "2022-05-24T19:19:27Z",
  "published": "2022-05-24T19:19:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38948"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211402"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6509632"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MH3M-QV7G-HJVV

Vulnerability from github – Published: 2023-03-18 00:30 – Updated: 2023-03-23 15:30
VLAI
Details

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-17T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.",
  "id": "GHSA-mh3m-qv7g-hjvv",
  "modified": "2023-03-23T15:30:29Z",
  "published": "2023-03-18T00:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94"
    },
    {
      "type": "WEB",
      "url": "https://redmine.pfsense.org/issues/13935"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPF7-M9X4-8PXW

Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25
VLAI
Details

Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-3931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-21T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.",
  "id": "GHSA-mpf7-m9x4-8pxw",
  "modified": "2022-05-17T02:25:46Z",
  "published": "2022-05-17T02:25:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3931"
    },
    {
      "type": "WEB",
      "url": "https://e-szigno.hu/letoltesek/programok-driverek.html"
    },
    {
      "type": "WEB",
      "url": "https://www.search-lab.hu/about-us/news/107-37-million-digitally-signed-documents-had-to-be-reverified"
    },
    {
      "type": "WEB",
      "url": "https://www.search-lab.hu/eakta"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/132473/Microsec-e-Szigno-Netlock-Mokka-XML-Signature-Wrapping.html"
    },
    {
      "type": "WEB",
      "url": "http://www.neih.gov.hu/?q=node/66"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/75487"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR9X-R224-2F2X

Vulnerability from github – Published: 2022-05-14 02:00 – Updated: 2022-05-14 02:00
VLAI
Details

DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-21T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a \"\u003cfile type=\u0027file\u0027 name=\u0027../\" substring.",
  "id": "GHSA-mr9x-r224-2f2x",
  "modified": "2022-05-14T02:00:54Z",
  "published": "2022-05-14T02:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ky-j/dedecms/issues/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MW95-GMW4-883P

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2024-01-10 20:09
VLAI
Summary
Magento XML injection in the Widgets module
Details

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.6-p1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.1-p1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-10T20:09:23Z",
    "nvd_published_at": "2021-02-11T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.",
  "id": "GHSA-mw95-gmw4-883p",
  "modified": "2024-01-10T20:09:23Z",
  "published": "2022-05-24T17:41:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21019"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento XML injection in the Widgets module"
}

GHSA-MWWQ-V92J-38XR

Vulnerability from github – Published: 2023-11-16 21:30 – Updated: 2023-11-16 21:30
VLAI
Details

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-16T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.",
  "id": "GHSA-mwwq-v92j-38xr",
  "modified": "2023-11-16T21:30:46Z",
  "published": "2023-11-16T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46214"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2023-1104"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/6cb7e011-55fb-48e3-a98d-164fa854e37e"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/a053e6a6-2146-483a-9798-2d43652f3299"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176154/Splunk-XSLT-Upload-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P2VM-88RG-WFR2

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-06-03 15:51
VLAI
Summary
XML injection in Crafter CMS
Details

In Crafter CMS Crafter Studio 3.0 prior to 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.craftercms:crafter-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-15683"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-03T15:51:04Z",
    "nvd_published_at": "2020-11-27T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Crafter CMS Crafter Studio 3.0 prior to 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.",
  "id": "GHSA-p2vm-88rg-wfr2",
  "modified": "2022-06-03T15:51:04Z",
  "published": "2022-05-24T17:34:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15683"
    },
    {
      "type": "WEB",
      "url": "https://docs.craftercms.org/en/3.0/security/advisory.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML injection in Crafter CMS"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

CAPEC-83: XPath Injection

An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.