CVE List by Type: XXE (Filtered by Published Year)

Explore CVEs related to XXE vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.

Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.

You're viewing XXE CVEs published in 2019. View full CVE list

Showing 120 of 144 results
«« First « Prev Page 1 / 8 Next »
CVE Description Max CVSS EPSS % Published Updated
CVE-2019-19032 XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload. 8.1 4.51% 2019-12-30 2026-06-16
CVE-2019-19031 Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. 8.1 5.16% 2019-12-30 2026-06-16
CVE-2019-19998 Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. 7.5 1.10% 2019-12-25 2026-06-16
CVE-2012-2656 An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information. 7.5 2.05% 2019-12-18 2026-06-16
CVE-2019-16549 Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. 8.1 0.97% 2019-12-17 2026-06-16
CVE-2014-3643 jersey: XXE via parameter entities not disabled by the jersey SAX parser 7.5 2.14% 2019-12-15 2026-06-16
CVE-2017-18640 The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. 7.5 26.72% 2019-12-11 2026-06-16
CVE-2019-19702 The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain. 7.5 1.47% 2019-12-10 2026-06-16
CVE-2019-11216 BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed. 6.5 1.84% 2019-12-04 2026-06-16
CVE-2019-17554 The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. 5.5 12.25% 2019-12-04 2026-06-16
CVE-2011-3600 The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04. 7.5 15.91% 2019-11-25 2026-06-16
CVE-2019-10080 The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. 6.5 2.26% 2019-11-19 2026-06-16
CVE-2019-17085 XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11. The vulnerability could be exploited to do an XXE attack on Operations Agent. 6.5 0.77% 2019-11-18 2026-06-16
CVE-2018-20687 An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. 9.8 2.53% 2019-11-18 2026-06-16
CVE-2019-10172 A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. 7.5 17.04% 2019-11-18 2026-06-16
CVE-2019-14678 SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used. 10.0 2.95% 2019-11-14 2026-06-16
CVE-2014-3599 HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy 6.5 1.20% 2019-11-12 2026-06-16
CVE-2019-12331 PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. 8.8 1.35% 2019-11-07 2026-06-16
CVE-2019-8126 An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure. 4.9 0.88% 2019-11-05 2026-06-16
CVE-2013-6461 Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits 6.5 2.19% 2019-11-05 2026-06-16
«« First « Prev Page 1 / 8 Next »
cvelogic Threat Intelligence