CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

551 matches found

Positive Technologies•added 2 days ago•4 views

PT-2026-46105

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

5.5CVSS5.8AI score

Exploits0References4

Vulnrichment•added 2026/05/26 6:17 p.m.•8 views

CVE-2026-3603 IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML external entity injection (XXE) attack

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 is vulnerable to an XML external entity injection XXE attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources...

7.1CVSS5.8AI score0.00022EPSS

Exploits0References1

NVD•added 2026/05/22 1:16 p.m.•10 views

CVE-2026-44618

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

5.3CVSS0.00167EPSS

Exploits0References2

CNNVD•added 2026/05/22 12:0 a.m.•6 views

Apache CXF 安全漏洞

Apache CXF is an open-source web service framework developed by the Apache Foundation in the United States. This framework supports various web service standards and multiple front-end programming APIs. There is a security vulnerability in Apache CXF, which stems from an insecure XML parser...

5.3CVSS5.9AI score0.00167EPSS

Exploits0References2

RedhatCVE•added 2026/05/12 8:21 p.m.•6 views

CVE-2026-31247

Docling's JATS XML backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend uses etree.parse to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload XML Bomb. When processed by Doclin...

7.5CVSS5.8AI score0.00052EPSS

Exploits0References1

ATTACKERKB•added 2026/05/08 12:0 a.m.•4 views

CVE-2023-42344

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet...

5.8AI score0.13668EPSS

Exploits0References3

Positive Technologies•added 2026/05/06 12:0 a.m.•5 views

PT-2026-37810

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content by setting "checked". This makes classic XXE attacks possible...

9.1CVSS6.9AI score0.00553EPSS

Exploits0References5

Rosalinux•added 2026/02/16 7:27 a.m.•4 views

Advisory ROSA-SA-2026-3147

Software: jackson-databind 2.10.0 OS: ROSA Virtualization 3.1 unaffected versions = jackson-databind-2.10.0-1.0.2.rv31 affected versions jackson-databind-2.10.0-1.0.2.rv31 CVE-ID: CVE-2020-25649 BDU-ID: 2022-05602 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the DOMDeserializer component of the...

7.5CVSS6.5AI score0.00487EPSS

Exploits5

Cvelist•added 2026/02/03 3:14 p.m.•21 views

CVE-2026-23795 Apache Syncope: Console XXE on Keymaster parameters

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...

0.00101EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 11:30 a.m.•3 views

CVE-2021-27736

FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely...

6.5CVSS6.9AI score0.00276EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 9:25 a.m.•1 views

CVE-2023-4218

In Eclipse IDE versions 2023-09 4.29 some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file for example for review a foreign repository or patch...

5CVSS6.8AI score0.00026EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 8:58 a.m.•3 views

CVE-2023-45612

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE...

9.8CVSS6.8AI score0.00003EPSS

Exploits6References1

OSV•added 2025/11/28 6:32 a.m.•1 views

GHSA-X832-FPVJ-R5PH Mustangproject allows exfiltrating files via XXE attacks

Mustang before 2.16.3 allows exfiltrating files via XXE attacks...

2.8CVSS5.8AI score0.00011EPSS

Exploits0References6

NVD•added 2025/11/28 4:16 a.m.•3 views

CVE-2025-66371

Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host...

5CVSS0.00013EPSS

Exploits0References4

Vulnrichment•added 2025/11/28 12:0 a.m.•1 views

CVE-2025-66371

5CVSS6.5AI score0.00013EPSS

Exploits0References4

Cvelist•added 2025/10/29 1:29 p.m.•3 views

CVE-2025-64134

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity XXE attacks...

0.00032EPSS

Exploits0References1

Debian•added 2025/10/26 6:20 p.m.•4 views

[SECURITY] [DSA 6039-1] openjdk-25 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6039-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 26, 2025 https://www.debian.org/security/faq -...

7.5CVSS7.2AI score0.00068EPSS

Exploits0