CVE-2026-6239

A stack‑based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processing. An authenticated attacker can send a specially crafted ONVIF request containing an excessive...

Exploit for CVE-2019-5513

VMware Horizon /broker/xml Vulnerability Scanner !Security...

Microweber <1.2.12 - Stored Cross-Site Scripting

Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. id: CVE-2022-0963 info: name: Microweber 1.2.12 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | Microweber prior to 1.2.12 contains a stored...

Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass

Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x are vulnerable to authentication bypass. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the...

Oracle Business Intelligence Publisher - XML External Entity Injection

Oracle Business Intelligence Publisher is vulnerable to an XML external entity injection attack. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise BI Publishe...

Adobe Experience Manager - XML External Entity Injection

Adobe Experience Manager 6.5, 6.4, 6.3 and 6.2 are susceptible to XML external entity injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2019-8086 info: name: Adobe...

Sitecore CMS - Cross-Site Scripting

Sitecore CMS contains a cross-site scripting vulnerability via the "special way" of displaying XML Controls directly, which allows for a Cross Site Scripting Attack. id: CVE-2014-100004 info: name: Sitecore CMS - Cross-Site Scripting author: DhiyaneshDK severity: medium description: | Sitecore CM...

JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. id: CVE-2017-5983 info: name:...

SysAid On-Prem <= 23.3.40 - XML External Entity

SysAid On-Prem versions = 23.3.40 are vulnerable to an unauthenticated XML External Entity XXE vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives. id: CVE-2025-2776 info: name: SysAid On-Prem = 23.3.40 - XML External Enti...

WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution

WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code executio...

IBM Maximo Asset Management Information Disclosure - XML External Entity Injection

IBM Maximo Asset Management is vulnerable to an XML external entity injection XXE attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. id: CVE-2020-4463 info: name: IBM Maximo Asset Management Information...

Apache Cocoon 2.1.12 - XML Injection

Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system. id: CVE-2020-11991 info: name: Apache Cocoon 2.1.12 - XML...

Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE)

cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity XXE issue via XML file upload, which leads to local file disclosure. id: CVE-2022-38840 info: name: Güralp MAN-EAM-0003 3.2.4 - XML External Entity XXE author: daffainfo severity: high description: |...

Revive Adserver 4.2 - Remote Code Execution

Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g...

Episerver 7 - Blind XML External Entity Injection

Episerver 7 patch 4 and earlier contains an XML external entity XXE caused by processing crafted DTD in XML requests involving util/xmlrpc/Handler.ashx, letting remote attackers read arbitrary files, exploit requires sending malicious XML payloads. id: CVE-2017-17762 info: name: Episerver 7 - Bli...

VMWare Cloud Foundation NSX-V - XML External Entity (XXE)

VMware Cloud Foundation NSX-V contains an XML External Entity XXE vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. id: CVE-2022-31678 info: name: VMWare Cloud...

Apache OFBiz 17.12.03 - Cross-Site Scripting

Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request. id: CVE-2020-9496 info: name: Apache OFBiz 17.12.03 - Cross-Site Scripting author: dwisiswant0 severity: medium description: Apache OFBiz 17.12.03 contains cross-site scripting a...

Journyx - XML External Entities Injection (XXE)

The "soapcgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. id: CVE-2024-6893 info: name: Journyx - XML...

Citrix StoreFront - Cross-Site Scripting

Reflected Cross-Site Scripting issue which is exploitable without authentication. This vulnerability was exploitable through coercing an error message during an XML parsing procedure in the SSO flow. id: CVE-2023-5914 info: name: Citrix StoreFront - Cross-Site Scripting author: DhiyaneshDK...

Akamai CloudTest < 60 2025.06.02 - XML External Entity (XXE)

Akamai CloudTest before 60 2025.06.02 12988 allows file inclusion via XML External Entity XXE injection. id: CVE-2025-49493 info: name: Akamai CloudTest 60 2025.06.02 - XML External Entity XXE author: xbow,3th1cyuk1 severity: critical description: | Akamai CloudTest before 60 2025.06.02 12988...