Total
1239 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51132 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. | |||||
| CVE-2024-50848 | 1 Rws | 1 Worldserver | 2026-06-17 | N/A | 6.5 MEDIUM |
| An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file. | |||||
| CVE-2024-50442 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through <= 1.3.980. | |||||
| CVE-2024-4690 | 1 Microfocus | 1 Application Automation Tools | 2026-06-17 | N/A | 8.0 HIGH |
| Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below. | |||||
| CVE-2024-4357 | 1 Progress | 1 Telerik Reporting | 2026-06-17 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. | |||||
| CVE-2024-4189 | 1 Microfocus | 1 Application Automation Tools | 2026-06-17 | N/A | 8.0 HIGH |
| Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below. | |||||
| CVE-2024-4184 | 1 Microfocus | 1 Application Automation Tools | 2026-06-17 | N/A | 8.0 HIGH |
| Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below. | |||||
| CVE-2024-49781 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2026-06-17 | N/A | 7.1 HIGH |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2024-49704 | 2026-06-17 | N/A | 5.5 MEDIUM | ||
| A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The Generic Data Mapper, the Engineering Adapter, and the Engineering Interface improperly handle XML External Entity (XXE) entries when parsing configuration and mapping files. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by persuading a user to use a maliciously crafted configuration or mapping file in one of the affected components. | |||||
| CVE-2024-49535 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2026-06-17 | N/A | 6.3 MEDIUM |
| Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document. | |||||
| CVE-2024-49352 | 1 Ibm | 1 Cognos Analytics | 2026-06-17 | N/A | 7.1 HIGH |
| IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2024-49064 | 1 Microsoft | 1 Sharepoint Server | 2026-06-17 | N/A | 6.5 MEDIUM |
| Microsoft SharePoint Information Disclosure Vulnerability | |||||
| CVE-2024-48917 | 1 Phpoffice | 1 Phpspreadsheet | 2026-06-17 | N/A | 7.5 HIGH |
| PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that `encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue. | |||||
| CVE-2024-47873 | 1 Phpoffice | 1 Phpspreadsheet | 2026-06-17 | N/A | 7.5 HIGH |
| PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue. | |||||
| CVE-2024-47582 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application. | |||||
| CVE-2024-46985 | 1 Dataease | 1 Dataease | 2026-06-17 | N/A | 7.5 HIGH |
| DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1. | |||||
| CVE-2024-46984 | 1 Gematik | 1 Reference Validator | 2026-06-17 | N/A | 8.6 HIGH |
| The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. The profile location routine in the referencevalidator commons package is vulnerable to `XML External Entities` attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a `Server Side Request Forgery` attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem. | |||||
| CVE-2024-46603 | 1 Elspec-ltd | 2 G5dfr, G5dfr Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. | |||||
| CVE-2024-46602 | 1 Elspec-ltd | 2 G5dfr, G5dfr Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload. | |||||
| CVE-2024-46455 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. | |||||