16 matches found
CVE-2025-23195
An XML External Entity XXE vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the DocumentBuilderFactory class without disabling external entity resolution. An attacker can...
XML External Entity (XXE)
langchaincommunity is vulnerable to XML External Entity XXE. The vulnerability is due to insecure XML parsing in the EverNoteLoader component that uses etree.iterparse without disabling external entity references, which allows an attacker to craft a malicious XML payload to access sensitive local...
EUVD-2022-36778
Malicious code in bioql PyPI...
GHSA-PC6W-59FV-RH23 Langchain Community Vulnerable to XML External Entity (XXE) Attacks
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity XXE attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse without disabling external entity references, which can lead to sensitive informati...
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity XXE attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse without disabling external entity references, which can lead to sensitive informati...
LangChain 信息泄露漏洞
LangChain is a LangChain open source framework for developing applications powered by the Large Language Model LLM. An information disclosure vulnerability exists in LangChain version 0.3.63, which stems from insecure XML parsing and could lead to the disclosure of sensitive information...
XML External Entity (XXE) Injection
Langroid is vulnerable to XML External Entity XXE Injection. The vulnerability is due to insecure XML parsing due to the XMLToolMessage class processing untrusted XML input without proper restrictions, potentially enabling denial of service or local file disclosure...
CVE-2025-23195
The CVE-2025-23195 XXE vulnerability affects Ambari/Oozie where XML input is parsed with DocumentBuilderFactory without disabling external entity resolution. This can enable an attacker to read arbitrary server files or trigger SSRF. Affected product version exposure is documented as fixed in Amb...
XML External Entity (XXE) Injection
HAPI FHIR is vulnerable to XML External Entity XXE Injection. The vulnerability is due to insecure XML parsing by HAPI FHIR, specifically within the XSLT parsing components, which improperly handle external entity references in XML files. It allows attackers to inject malicious XML content, such ...
Security Bulletin: Insecure XML parsing vulnerability affect IBM Business Automation Workflow - CVE-2014-0107, CVE-2022-34169
Summary IBM Business Automation Workflow reintroduced an outdated version of the Xalan library. Vulnerability Details CVEID:CVE-2014-0107 DESCRIPTION: Apache Xalan-Java could allow a remote attacker to bypass security restrictions, caused by the improper handling of output properties. An attacker...
gradle: Possible local text file exfiltration by XML External entity injection
A flaw was found in Gradle. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack OOB-XXE, parsing XML can lead to the exfiltration of local text files to a remote server. In most cases, Gradle parses XML files it...
CVE-2023-46214 Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations XSLT that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance...
CVE-2023-46214 Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations XSLT that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance...
Adobe ColdFusion Insecure XML Parsing Vulnerability
Adobe ColdFusion is the United States of America Audobee Adobe a dynamic Web server products, which runs the CFML ColdFusion Markup Language is a programming language for Web applications. An insecure XML parsing vulnerability exists in Adobe ColdFusion. The vulnerability stems from the program's...
RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2017:2469)
The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:2469 advisory. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java...
OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak...