CVE-2026-44618 Apache CXF: XXE vulnerability in WS-Transfer functionality

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

Apache CXF 安全漏洞

Apache CXF is an open-source web service framework developed by the Apache Foundation in the United States. This framework supports various web service standards and multiple front-end programming APIs. There is a security vulnerability in Apache CXF, which stems from an insecure XML parser...

MiracleLinux 7 : xstream-1.3.1-12.el7 (AXSA:2021-1252:01)

The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2021-1252:01 advisory. XStream: remote code execution due to insecure XML deserialization when relying on blocklists CVE-2020-26217 Tenable has extracted the preceding description...

CVE-2025-23195

An XML External Entity XXE vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the DocumentBuilderFactory class without disabling external entity resolution. An attacker can...

XML External Entity (XXE)

langchaincommunity is vulnerable to XML External Entity XXE. The vulnerability is due to insecure XML parsing in the EverNoteLoader component that uses etree.iterparse without disabling external entity references, which allows an attacker to craft a malicious XML payload to access sensitive local...

EUVD-2020-17608

Malware in sbrugna...

EUVD-2022-36778

Malicious code in bioql PyPI...

GHSA-PC6W-59FV-RH23 Langchain Community Vulnerable to XML External Entity (XXE) Attacks

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity XXE attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse without disabling external entity references, which can lead to sensitive informati...

Langchain Community Vulnerable to XML External Entity (XXE) Attacks

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity XXE attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse without disabling external entity references, which can lead to sensitive informati...

LangChain 信息泄露漏洞

LangChain is a LangChain open source framework for developing applications powered by the Large Language Model LLM. An information disclosure vulnerability exists in LangChain version 0.3.63, which stems from insecure XML parsing and could lead to the disclosure of sensitive information...

XML External Entity (XXE) Injection

org.eclipse.jgit, org.eclipse.jgit is vulnerable to XML External Entity XXE attacks. The vulnerability is due to insecure handling of XML input by the ManifestParser and AmazonS3 classes when parsing XML files, allows an attacker to perform XML External Entity XXE attack...

CVE-2025-47778 Sulu vulnerable to XXE in SVG File upload Inspector

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has...

PT-2025-21177 · Sulu · Sulu

Name of the Vulnerable Software and Affected Versions: Sulu versions 2.5.21 through 2.5.24 Sulu versions 2.6.5 through 2.6.8 Sulu versions 3.0.0-alpha1 through 3.0.0-alpha2 Description: Sulu is an open-source PHP content management system based on the Symfony framework. The issue allows an admin...

XML External Entity (XXE) Injection

Langroid is vulnerable to XML External Entity XXE Injection. The vulnerability is due to insecure XML parsing due to the XMLToolMessage class processing untrusted XML input without proper restrictions, potentially enabling denial of service or local file disclosure...

CVE-2025-25940

VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java...

CVE-2025-25940

VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java...

CVE-2025-25940

VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java...

CVE-2025-25940

VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java...

PT-2025-10599 · Visicut · Visicut

Name of the Vulnerable Software and Affected Versions: VisiCut version 2.1 Description: The issue allows code execution via insecure XML deserialization in the loadPlfFile method of VisicutModel.java. Recommendations: For VisiCut version 2.1, consider restricting the use of the loadPlfFile method...

CVE-2025-23195

The CVE-2025-23195 XXE vulnerability affects Ambari/Oozie where XML input is parsed with DocumentBuilderFactory without disabling external entity resolution. This can enable an attacker to read arbitrary server files or trigger SSRF. Affected product version exposure is documented as fixed in Amb...