Total
1239 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-68493 | 1 Apache | 1 Struts | 2026-06-17 | N/A | 8.1 HIGH |
| Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. | |||||
| CVE-2025-68463 | 2026-06-17 | N/A | 4.9 MEDIUM | ||
| Bio.Entrez in Biopython through 186 allows doctype XXE. | |||||
| CVE-2025-68280 | 1 Apache | 1 Spatial Information System | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.accessExternalDTD="" ... | |||||
| CVE-2025-66516 | 1 Apache | 1 Tika | 2026-06-17 | N/A | 8.4 HIGH |
| Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. | |||||
| CVE-2025-66372 | 2026-06-17 | N/A | 2.8 LOW | ||
| Mustang before 2.16.3 allows exfiltrating files via XXE attacks. | |||||
| CVE-2025-66371 | 2026-06-17 | N/A | 5.0 MEDIUM | ||
| Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. | |||||
| CVE-2025-66370 | 2026-06-17 | N/A | 5.0 MEDIUM | ||
| Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem. | |||||
| CVE-2025-65868 | 1 Eyoucms | 1 Eyoucms | 2026-06-17 | N/A | 7.5 HIGH |
| XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request. | |||||
| CVE-2025-65482 | 1 Opensagres | 1 Xdocreport | 2026-06-17 | N/A | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | |||||
| CVE-2025-64518 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format. | |||||
| CVE-2025-64134 | 1 Jenkins | 1 Jdepend | 2026-06-17 | N/A | 7.1 HIGH |
| Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2025-63917 | 1 Cnblogs | 1 Pdfpatcher | 2026-06-17 | N/A | 7.1 HIGH |
| PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks. | |||||
| CVE-2025-63551 | 1 Metinfo | 1 Metinfo | 2026-06-17 | N/A | 7.5 HIGH |
| A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed. | |||||
| CVE-2025-61823 | 1 Adobe | 1 Coldfusion | 2026-06-17 | N/A | 6.2 MEDIUM |
| ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed. | |||||
| CVE-2025-61821 | 1 Adobe | 1 Coldfusion | 2026-06-17 | N/A | 6.8 MEDIUM |
| ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue does not require user interaction and scope is changed. | |||||
| CVE-2025-61813 | 1 Adobe | 1 Coldfusion | 2026-06-17 | N/A | 8.2 HIGH |
| ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed. | |||||
| CVE-2025-5877 | 1 Fengoffice | 1 Feng Office | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Fengoffice Feng Office 3.2.2.1. Affected by this issue is some unknown functionality of the file /application/models/ApplicationDataObject.class.php of the component Document Upload Handler. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-58360 | 1 Geoserver | 1 Geoserver | 2026-06-17 | N/A | 8.2 HIGH |
| GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0. | |||||
| CVE-2025-57704 | 2026-06-17 | N/A | 5.5 MEDIUM | ||
| Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability. | |||||
| CVE-2025-54992 | 2026-06-17 | N/A | N/A | ||
| OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0. | |||||