Explore CVEs related to XXE vulnerabilities. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing XXE CVEs across all publication years. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-49383 | In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible | 3.3 | 0.00% | 2026-05-29 | 2026-06-01 |
| CVE-2026-2253 | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities. | 7.7 | 0.03% | 2026-05-27 | 2026-05-27 |
| CVE-2026-3603 | IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | 7.1 | 0.02% | 2026-05-26 | 2026-06-02 |
| CVE-2026-46722 | The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. | 5.9 | 0.05% | 2026-05-19 | 2026-05-19 |
| CVE-2026-39053 | Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML(...) or ViewXmlUtils.fromXML(...), unsafe XML processing can lead to file disclosure or SSRF. | 6.5 | 0.05% | 2026-05-15 | 2026-05-18 |
| CVE-2026-44445 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configuration files. This vulnerability is fixed in 15.104.3 and 16.12.0. | 5.3 | 0.05% | 2026-05-13 | 2026-05-14 |
| CVE-2026-23822 | A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system. NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x | 5.3 | 0.07% | 2026-05-12 | 2026-05-13 |
| CVE-2026-41895 | changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...). | 8.2 | 0.04% | 2026-05-12 | 2026-05-13 |
| CVE-2026-31248 | Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of servi | 7.5 | 0.05% | 2026-05-11 | 2026-05-13 |
| CVE-2026-42212 | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid | 7.1 | 0.05% | 2026-05-08 | 2026-05-12 |
| CVE-2023-42346 | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. | 7.5 | 0.08% | 2026-05-08 | 2026-05-11 |
| CVE-2023-42344 | Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | 7.3 | 13.67% | 2026-05-08 | 2026-05-08 |
| CVE-2026-41936 | Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privi | 8.6 | 0.04% | 2026-05-06 | 2026-05-06 |
| CVE-2026-38429 | OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml. | 9.8 | 0.06% | 2026-05-05 | 2026-05-06 |
| CVE-2026-40682 | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support — external entity resolution and DOCTYPE declarations r | 9.1 | 0.09% | 2026-05-04 | 2026-05-06 |
| CVE-2026-6501 | Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This issue affects jOpenDocument: 1.5. | 5.3 | 0.06% | 2026-05-04 | 2026-05-05 |
| CVE-2026-36765 | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. | 8.8 | 0.06% | 2026-04-30 | 2026-05-04 |
| CVE-2025-14543 | Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. | 8.8 | 0.04% | 2026-04-30 | 2026-05-04 |
| CVE-2024-13971 | Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 7.7 | 0.02% | 2026-04-30 | 2026-05-17 |
| CVE-2024-39847 | Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 8.7 | 0.04% | 2026-04-30 | 2026-05-17 |