Total
106 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1545 | 1 Watchguard | 34 Firebox M270, Firebox M290, Firebox M370 and 31 more | 2025-12-10 | N/A | 7.5 HIGH |
| An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | |||||
| CVE-2025-66034 | 1 Fonttools | 1 Fonttools | 2025-12-03 | N/A | 6.3 MEDIUM |
| fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2. | |||||
| CVE-2025-12921 | 1 Openclinica | 1 Openclinica | 2025-12-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-24404 | 1 Apache | 1 Hertzbeat | 2025-11-04 | N/A | 8.8 HIGH |
| XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue. | |||||
| CVE-2020-0646 | 1 Microsoft | 15 .net Framework, Windows 10 1507, Windows 10 1607 and 12 more | 2025-10-29 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'. | |||||
| CVE-2025-7473 | 1 Zohocorp | 1 Manageengine Endpoint Central | 2025-10-23 | N/A | 5.2 MEDIUM |
| Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection. | |||||
| CVE-2025-60833 | 1 Ghostxbh | 1 Uzy-ssm-mall | 2025-10-10 | N/A | 6.5 MEDIUM |
| An XML External Entity (XXE) vulnerability in the /mall/wxpay/pay component of uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying crafted XML data. | |||||
| CVE-2025-54251 | 1 Adobe | 1 Experience Manager | 2025-10-02 | N/A | 4.3 MEDIUM |
| Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access. | |||||
| CVE-2025-47184 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 before 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08 allows an authenticated, unprivileged attacker to achieve information disclosure and privilege escalation via a crafted ISys XML message. | |||||
| CVE-2025-9375 | 2025-09-08 | N/A | N/A | ||
| XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. | |||||
| CVE-2022-25356 | 1 Altn | 1 Securitygateway | 2025-09-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Alt-N MDaemon Security Gateway through 8.5.0 allows SecurityGateway.dll?view=login XML Injection. | |||||
| CVE-2024-47113 | 1 Ibm | 1 Voice Gateway | 2025-08-18 | N/A | 8.1 HIGH |
| IBM ICP - Voice Gateway 1.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5, 1.0.6. 1.0.7, 1.0.7.1, and 1.0.8 could allow remote attacker to send specially crafted XML statements, which would allow them to attacker to view or modify information in the XML document. | |||||
| CVE-2023-32173 | 1 Unified-automation | 1 Uagateway | 2025-08-08 | N/A | 5.8 MEDIUM |
| Unified Automation UaGateway AddServer XML Injection Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability when the product is in its default configuration. The specific flaw exists within the implementation of the AddServer method. By specifying crafted arguments, an attacker can cause invalid characters to be inserted into an XML configuration file. An attacker can leverage this vulnerability to create a persistent denial-of-service condition on the system. . Was ZDI-CAN-20576. | |||||
| CVE-2023-27328 | 1 Parallels | 1 Parallels Desktop | 2025-08-06 | N/A | 7.8 HIGH |
| Parallels Desktop Toolgate XML Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied string before using it to construct an XML document. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-19187. | |||||
| CVE-2025-49538 | 1 Adobe | 1 Coldfusion | 2025-07-11 | N/A | 7.4 HIGH |
| ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets. | |||||
| CVE-2023-35858 | 1 Moderncampus | 1 Omni Cms | 2025-06-18 | N/A | 5.3 MEDIUM |
| XPath Injection vulnerabilities in the blog and RSS functions of Modern Campus - Omni CMS 2023.1 allow a remote, unauthenticated attacker to obtain application information. | |||||
| CVE-2022-35259 | 1 Ivanti | 1 Endpoint Manager | 2025-04-24 | N/A | 7.8 HIGH |
| XML Injection with Endpoint Manager 2022. 3 and below causing a download of a malicious file to run and possibly execute to gain unauthorized privileges. | |||||
| CVE-2015-3932 | 1 Netlock | 1 Mokka | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object. | |||||
| CVE-2013-7429 | 1 Mapsplugin | 1 Googlemaps | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to conduct XML injection attacks via the url parameter to plugin_googlemap2_proxy.php. | |||||
| CVE-2017-5654 | 1 Apache | 1 Ambari | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes. | |||||