CWE-643(Improper Neutralization of Data within XPath Expressions ('XPath Injection'))は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-44962 | 2026-05-29 | Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allo… |
| CVE-2026-40699 | 2026-05-13 | A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software vers… |
| CVE-2026-24343 | 2026-02-10 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0. Users are recommended to… |
| CVE-2025-11844 | 2025-10-22 | Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath qu… |
| CVE-2025-20218 | 2025-08-14 | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to retrieve sensitive information from an … |
| CVE-2022-43840 | 2025-04-14 | IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the str… |
| CVE-2024-39565 | 2024-07-10 | An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execu… |
| CVE-2024-2648 | 2024-03-19 | A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of… |
| CVE-2024-2645 | 2024-03-19 | A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /vpnweb/resetpwd/resetpwd.php. The manipulation … |
| CVE-2023-36433 | 2023-10-10 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
| CVE-2023-36429 | 2023-10-10 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
| CVE-2023-24922 | 2023-03-14 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
| CVE-2020-25162 | 2022-04-14 | A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to acces… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Common_Consequences, Relationships |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description, Name, References, Relationship_Notes |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Demonstrative_Examples |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Name |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Common_Consequences |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Taxonomy_Mappings |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Description, Name |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Enabling_Factors_for_Exploitation |
| 2010-12-13 | CWE Content Team | 1.11 | — | updated Common_Consequences |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships, Weakness_Ordinalities |