CWE-611(Improper Restriction of XML External Entity Reference)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE カタログからの補足説明(MITRE XHTML を基に表示)。
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| language | XML | — | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
| technology | — | Web Based | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-49383 | 2026-05-29 | In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible |
| CVE-2026-2253 | 2026-05-27 | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities. |
| CVE-2026-3603 | 2026-05-26 | IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML extern… |
| CVE-2026-46722 | 2026-05-19 | The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requ… |
| CVE-2026-39053 | 2026-05-15 | Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.… |
| CVE-2026-44445 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enabl… |
| CVE-2026-41895 | 2026-05-12 | changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) w… |
| CVE-2026-42212 | 2026-05-08 | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE… |
| CVE-2023-42346 | 2026-05-08 | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. |
| CVE-2023-42344 | 2026-05-08 | Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. |
| CVE-2026-41936 | 2026-05-06 | Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modi… |
| CVE-2026-38429 | 2026-05-05 | OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml. |
| CVE-2026-40682 | 2026-05-04 | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor c… |
| CVE-2026-6501 | 2026-05-04 | Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This issue affects jOpenDocument: 1.5. |
| CVE-2026-36765 | 2026-04-30 | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. |
| CVE-2025-14543 | 2026-04-30 | Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0… |
| CVE-2024-13971 | 2026-04-30 | Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server an… |
| CVE-2024-39847 | 2026-04-30 | Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjac… |
| CVE-2026-41066 | 2026-04-24 | lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML inp… |
| CVE-2026-40882 | 2026-04-22 | OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Taxonomy_Mappings |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Background_Details, Other_Notes |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Name |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, References, Relationships, Relevant_Properties |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Name, Type |
| 2019-09-19 | CWE Content Team | 3.4 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Relationships |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Alternate_Terms, Common_Consequences, Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Background_Details, Common_Consequences, Description, Diagram, Relationships, Weakness_Ordinalities |