Lucene search
K

7671 matches found

CVE
CVE
added 2026/06/24 1:20 p.m.18 views

CVE-2026-57303

CVE-2026-57303 affects Jenkins Assembla Plugin 1.4 and earlier. The root cause is that the plugin’s XML parser is not configured to prevent XML external entity (XXE) attacks. This can allow an attacker who can influence the Assembla server responses to exfiltrate secrets from the Jenkins controll...

7.1CVSS5.9AI score0.00224EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.10 views

PT-2026-51813

Name of the Vulnerable Software and Affected Versions Jenkins Assembla Plugin versions prior to 1.5 Description The XML parser is not configured to prevent XML external entity XXE attacks. This allows attackers who can control the responses from the configured Assembla server to extract secrets...

7.1CVSS5.8AI score0.00224EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 12:13 p.m.35 views

CVE-2026-56701 Grav - XML External Entity Injection via SVG Upload

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexmlloadstring without disabling external entity loading, enabling attackers to inject XXE payloads...

7.1CVSS0.00233EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:13 p.m.5 views

CVE-2026-56701

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexmlloadstring without disabling external entity loading, enabling attackers to inject XXE payloads...

7.1CVSS6AI score0.00233EPSS
Exploits0References3
CVE
CVE
added 2026/06/23 12:13 p.m.13 views

CVE-2026-56701

Grav under 2.0.0-beta.2 is affected by an XML External Entity (XXE) vulnerability in SVG file upload handling. The issue arises because the application uses simplexml_load_string without disabling external entity loading, allowing authenticated attackers to inject XXE payloads via SVG files to ex...

7.1CVSS6AI score0.00233EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 7:45 a.m.5 views

CVE-2026-12788

A vulnerability was determined in zhilink 智互联深圳科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This vulnerability affects unknown code of the file /adpweb/a/base/barcodeDetail/import of the component XML Parser. This manipulation causes xml external entity reference. It is possible to...

6.5CVSS5.5AI score0.00237EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/06/21 7:45 a.m.31 views

CVE-2026-12788

CVE-2026-12788 affects zhilink 智互联(深圳)科技有限公司的 ADP Application Developer Platform 1.0.0. A vulnerability exists in the XML Parser component, specifically in the file /adpweb/a/base/barcodeDetail/import, allowing an XML External Entity (XXE) reference. The issue could be triggered remotely, and the...

6.5CVSS6.2AI score0.00237EPSS
Exploits0References5
Veracode
Veracode
added 2026/06/20 11:25 a.m.4 views

XML External Entity (XXE) Injection

org.hl7.fhir.utilities is vulnerable to XML External Entity XXE Injection. The vulnerability is due to the saxonTransform... methods instantiating an unprotected TransformerFactory without restricting external DTDs and stylesheets, which allows an attacker to supply a malicious XML document that...

8.7CVSS6AI score0.00309EPSS
Exploits0References4Affected Software1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.6 views

Astra Linux – Vulnerability in libxml2

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier, as well as other products, does not provide a direct flag indicating that the current document may be read, but other files may not be opened. This makes it easier for remote attackers to carry out XML External Entity XXE attacks...

5.5CVSS6.8AI score0.02938EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/18 6:55 p.m.19 views

CVE-2026-48981 pam_usb: xmlReadFile flags=0 permits XXE network entity fetching in conf.c

pamusb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, pamusb calls xmlReadFile with flags=0 when loading the configuration file, allowing libxml2 to process external entity references XXE, potentially making outbound network connections or...

6.7CVSS0.00115EPSS
Exploits0References2
CVE
CVE
added 2026/06/18 6:55 p.m.20 views

CVE-2026-48981

The CVE-2026-48981 issue affects pam_usb for Linux, where in versions prior to 0.9.2 the module loads its configuration via xmlReadFile() with flags=0. This allows libxml2 to process external entity references (XXE) during XML parsing, potentially causing outbound network connections or local fil...

6.7CVSS5.4AI score0.00115EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:47 p.m.5 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection through the saxonTransform function that uses unhardened net.sf.saxon.TransformerFactoryImpl method. An attacker can access sensitive local files or trigger arbitrary HTTPS requests from the host by...

8.9CVSS6.1AI score0.00309EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/17 6:47 p.m.11 views

HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory

Summary org.hl7.fhir.utilities.XsltUtilities exposes two parallel families of XSLT transform helpers. The transform... overloads obtain their TransformerFactory from the project's hardened helper XMLUtil.newXXEProtectedTransformerFactory which sets ACCESSEXTERNALDTD="" and...

8.7CVSS5.5AI score0.00309EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50600

Name of the Vulnerable Software and Affected Versions org.hl7.fhir.utilities versions 6.9.8 and earlier Description The org.hl7.fhir.utilities library contains an XML External Entity XXE injection flaw. The saxonTransform function overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl...

9.2CVSS6AI score0.00309EPSS
Exploits0References8
GitLab Advisory Database
GitLab Advisory Database
added 2026/06/17 12:0 a.m.10 views

HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory

org.hl7.fhir.utilities.XsltUtilities exposes two parallel families of XSLT transform helpers. The transform... overloads obtain their TransformerFactory from the project's hardened helper XMLUtil.newXXEProtectedTransformerFactory which sets ACCESSEXTERNALDTD="" and ACCESSEXTERNALSTYLESHEET="". Th...

8.7CVSS5.3AI score0.00309EPSS
Exploits0References3
Veracode
Veracode
added 2026/06/16 9:35 a.m.11 views

XML External Entity (XXE) Injection

Spring Web Services is vulnerable to XML External Entity XXE Injection. The vulnerability is due to Jaxp13XPathTemplate using a code path for StreamSource and SAXSource inputs that parses attacker-controlled XML with the default DocumentBuilderFactory configuration instead of Spring's hardened XM...

8.2CVSS5.4AI score0.00352EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/06/15 7:20 a.m.10 views

XXE Injection

Spring REST Docs is vulnerable to XML External Entity XXE Injection. The vulnerability is due to unsafe processing of XML content when documenting remote APIs, where a compromised or malicious API can supply crafted XML containing external entities. When documentation-generating tests are execute...

5.9CVSS5.3AI score0.00223EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/12 11:10 a.m.6 views

XML External Entity (XXE) Injection

Overview org.apache.cxf:cxf-core is an an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. Affected versions of this package are vulnerable to XML External Entity XXE Injection due to improper configuration of the...

9.8CVSS5.7AI score0.00485EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 8:54 a.m.54 views

CVE-2026-49875 Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

0.00485EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 8:54 a.m.109 views

CVE-2026-49875

Apache CXF is affected by an XML External Entity (XXE) issue described as CVE-2026-49875. The vulnerability arises because EndpointReferenceUtils and W3CMultiSchemaFactory construct a SAXParserFactory without proper JAXP hardening, enabling out-of-band (OOB) external entity resolution. Affected c...

9.8CVSS5.3AI score0.00485EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder