Total
1246 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25955 | 1 Mlit | 1 National Land Numerical Information Data Conversion Tool | 2026-06-17 | N/A | 5.5 MEDIUM |
| National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. | |||||
| CVE-2023-25926 | 3 Ibm, Linux, Microsoft | 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more | 2026-06-17 | N/A | 5.5 MEDIUM |
| IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599. | |||||
| CVE-2023-24620 | 1 Esotericsoftware | 1 Yamlbeans | 2026-06-17 | N/A | 5.5 MEDIUM |
| An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception. | |||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2026-06-17 | N/A | 9.1 CRITICAL |
| Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. | |||||
| CVE-2023-24466 | 1 Microfocus | 1 Imanager | 2026-06-17 | N/A | 7.5 HIGH |
| Possible XML External Entity Injection in iManager GET parameter has been discovered in OpenTextâ„¢ iManager 3.2.6.0200. | |||||
| CVE-2023-24443 | 1 Jenkins | 1 Testcomplete Support | 2026-06-17 | N/A | 9.8 CRITICAL |
| Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-24441 | 1 Jenkins | 1 Mstest | 2026-06-17 | N/A | 9.8 CRITICAL |
| Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-24430 | 1 Jenkins | 1 Semantic Versioning | 2026-06-17 | N/A | 9.8 CRITICAL |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-24429 | 1 Jenkins | 1 Semantic Versioning | 2026-06-17 | N/A | 9.8 CRITICAL |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | |||||
| CVE-2023-24323 | 1 Mojoportal | 1 Mojoportal | 2026-06-17 | N/A | 8.8 HIGH |
| Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability. | |||||
| CVE-2023-24189 | 1 Bstek | 1 Urule | 2026-06-17 | N/A | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to /urule/common/saveFile. | |||||
| CVE-2023-24187 | 1 Ureport Project | 1 Ureport | 2026-06-17 | N/A | 7.8 HIGH |
| An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile. | |||||
| CVE-2023-23926 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2026-06-17 | N/A | 5.9 MEDIUM |
| APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system. | |||||
| CVE-2023-23595 | 1 Bluecatnetworks | 1 Device Registration Portal | 2026-06-17 | N/A | 7.5 HIGH |
| BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected. | |||||
| CVE-2023-22832 | 1 Apache | 1 Nifi | 2026-06-17 | N/A | 7.5 HIGH |
| The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | |||||
| CVE-2023-22624 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2026-06-17 | N/A | 7.5 HIGH |
| Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks. | |||||
| CVE-2023-22377 | 1 Fujitsu | 2 Tsclinical Define.xml Generator, Tsclinical Metadata Desktop Tools | 2026-06-17 | N/A | 7.4 HIGH |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0) and tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0. If this vulnerability is exploited, an attacker may obtain an arbitrary file which meets a certain condition by reading a specially crafted XML file. | |||||
| CVE-2023-22322 | 1 Omron | 1 Cx-motion Pro | 2026-06-17 | N/A | 5.5 MEDIUM |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed. | |||||
| CVE-2023-21862 | 1 Oracle | 1 Web Services Manager | 2026-06-17 | N/A | 8.1 HIGH |
| Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware (component: XML Security component). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services Manager. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Web Services Manager accessible data as well as unauthorized access to critical data or complete access to all Oracle Web Services Manager accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). | |||||
| CVE-2023-20918 | 1 Google | 1 Android | 2026-06-17 | N/A | 9.8 CRITICAL |
| In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||