Total
74 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44641 | 2 Debian, Linaro | 2 Debian Linux, Lava | 2026-06-17 | N/A | 6.5 MEDIUM |
| In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service. | |||||
| CVE-2022-34467 | 1 Mendix | 1 Excel Importer | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Mendix Excel Importer Module (Mendix 8 compatible) (All versions < V9.2.2), Mendix Excel Importer Module (Mendix 9 compatible) (All versions < V10.1.2). The affected component is vulnerable to XML Entity Expansion Injection. An attacker may use this to compromise the availability of the affected component. | |||||
| CVE-2022-34430 | 1 Dell | 1 Hybrid Client | 2026-06-17 | N/A | 7.1 HIGH |
| Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification. | |||||
| CVE-2022-33977 | 1 Untangle Project | 1 Untangle | 2026-06-17 | N/A | 7.5 HIGH |
| untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on the server where the product is running. | |||||
| CVE-2022-28652 | 2 Apport Project, Canonical | 2 Apport, Ubuntu Linux | 2026-06-17 | N/A | 5.5 MEDIUM |
| ~/.config/apport/settings parsing is vulnerable to "billion laughs" attack | |||||
| CVE-2022-26662 | 2 Debian, Tryton | 3 Debian Linux, Proteus, Trytond | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. | |||||
| CVE-2022-25857 | 2 Debian, Snakeyaml Project | 2 Debian Linux, Snakeyaml | 2026-06-17 | N/A | 7.5 HIGH |
| The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | |||||
| CVE-2022-23640 | 1 Excel Streaming Reader Project | 1 Excel Streaming Reader | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround. | |||||
| CVE-2022-0217 | 1 Prosody | 1 Prosody | 2026-06-17 | N/A | 7.5 HIGH |
| It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). | |||||
| CVE-2021-41559 | 1 Silverstripe | 1 Silverstripe | 2026-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. | |||||
| CVE-2021-40511 | 1 Obdasystems | 1 Mastro | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service. | |||||
| CVE-2021-3541 | 4 Netapp, Oracle, Redhat and 1 more | 27 Active Iq Unified Manager, Cloud Backup, Clustered Data Ontap and 24 more | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. | |||||
| CVE-2021-38490 | 1 Altova | 1 Mobiletogether Server | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425. | |||||
| CVE-2021-32623 | 1 Apereo | 1 Opencast | 2026-06-17 | 4.0 MEDIUM | 8.1 HIGH |
| Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue. | |||||
| CVE-2021-23926 | 4 Apache, Debian, Netapp and 1 more | 7 Xmlbeans, Debian Linux, Oncommand Unified Manager Core Package and 4 more | 2026-06-17 | 6.4 MEDIUM | 9.1 CRITICAL |
| The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. | |||||
| CVE-2021-20464 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Cognos Analytics PowerPlay (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7) could be vulnerable to an XML Bomb attack by a malicious authenticated user. IBM X-Force ID: 196813. | |||||
| CVE-2021-1267 | 1 Cisco | 1 Secure Firewall Management Center | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by crafting an XML-based widget on an affected server. A successful exploit could cause increased memory and CPU utilization, which could result in a DoS condition. | |||||
| CVE-2020-6856 | 1 Sos-berlin | 1 Jobscheduler | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entity (XEE) vulnerability exists in the JOC Cockpit component of SOS JobScheduler 1.12 and 1.13.2 allows attackers to read files from the server via an entity declaration in any of the XML documents that are used to specify the run-time settings of jobs and orders. | |||||
| CVE-2020-5227 | 1 Feedgen Project | 1 Feedgen | 2026-06-17 | 5.0 MEDIUM | 4.4 MEDIUM |
| Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources. | |||||
| CVE-2020-3946 | 1 Vmware | 1 Installbuilder | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service). | |||||