Total
1208 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4338 | 2025-05-23 | 6.8 Medium | ||
| Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application. | ||||
| CVE-2022-34348 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2025-05-22 | 7.1 High |
| IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017. | ||||
| CVE-2019-0948 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2025-05-20 | 4.7 Medium |
| An information disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration. To exploit the vulnerability, an attacker could create a file containing specially crafted XML content and convince an authenticated user to import the file. The update addresses the vulnerability by modifying the way that the Event Viewer parses XML input. | ||||
| CVE-2025-4639 | 2025-05-16 | N/A | ||
| CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos. This issue affects Peergos through version 1.1.0. | ||||
| CVE-2025-4641 | 2025-05-16 | N/A | ||
| Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.0.2. | ||||
| CVE-2025-27523 | 2025-05-16 | 8.7 High | ||
| XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06. | ||||
| CVE-2024-1167 | 1 Seweurodrive | 1 Movitools Motionstudio | 2025-05-15 | 5.5 Medium |
| When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur. | ||||
| CVE-2025-22478 | 1 Dell | 1 Storage Manager | 2025-05-13 | 8.1 High |
| Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | ||||
| CVE-2025-30018 | 2025-05-13 | 8.6 High | ||
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application. | ||||
| CVE-2024-49064 | 1 Microsoft | 1 Sharepoint Server | 2025-05-13 | 6.5 Medium |
| Microsoft SharePoint Information Disclosure Vulnerability | ||||
| CVE-2022-3338 | 1 Mcafee | 1 Epolicy Orchestrator | 2025-05-13 | 5.4 Medium |
| An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API. | ||||
| CVE-2022-43415 | 1 Jenkins | 1 Repo | 2025-05-09 | 7.5 High |
| Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2022-43430 | 1 Jenkins | 1 Compuware Topaz For Total Test | 2025-05-08 | 7.5 High |
| Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2022-31678 | 1 Vmware | 2 Cloud Foundation, Nsx Data Center | 2025-05-08 | 9.1 Critical |
| VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. | ||||
| CVE-2018-4942 | 1 Adobe | 1 Coldfusion | 2025-05-06 | 7.5 High |
| Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure. | ||||
| CVE-2022-43570 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-05-05 | 8.8 High |
| In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error. | ||||
| CVE-2022-21220 | 1 Intel | 1 Quartus Prime | 2025-05-05 | 7.8 High |
| Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2022-21205 | 1 Intel | 1 Quartus Prime | 2025-05-05 | 7.5 High |
| Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access. | ||||
| CVE-2020-25020 | 2 Mpxj, Oracle | 2 Mpxj, Primavera Unifier | 2025-05-05 | 9.8 Critical |
| MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components. | ||||
| CVE-2022-40747 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | 9.1 Critical |
| "IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584." | ||||