Total
123 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28770 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-06-17 | N/A | 8.8 HIGH |
| Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible | |||||
| CVE-2026-1554 | 1 Jtenman | 1 Central Authentication System Server | 2026-06-17 | N/A | 4.2 MEDIUM |
| XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2. | |||||
| CVE-2025-9375 | 2026-06-17 | N/A | N/A | ||
| XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation. | |||||
| CVE-2025-7473 | 1 Zohocorp | 1 Manageengine Endpoint Central | 2026-06-17 | N/A | 5.2 MEDIUM |
| Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection. | |||||
| CVE-2025-66034 | 1 Fonttools | 1 Fonttools | 2026-06-17 | N/A | 6.3 MEDIUM |
| fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2. | |||||
| CVE-2025-60833 | 1 Ghostxbh | 1 Uzy-ssm-mall | 2026-06-17 | N/A | 6.5 MEDIUM |
| An XML External Entity (XXE) vulnerability in the /mall/wxpay/pay component of uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying crafted XML data. | |||||
| CVE-2025-54251 | 1 Adobe | 1 Experience Manager | 2026-06-17 | N/A | 4.3 MEDIUM |
| Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access. | |||||
| CVE-2025-49538 | 1 Adobe | 1 Coldfusion | 2026-06-17 | N/A | 7.4 HIGH |
| ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets. | |||||
| CVE-2025-47184 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 before 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08 allows an authenticated, unprivileged attacker to achieve information disclosure and privilege escalation via a crafted ISys XML message. | |||||
| CVE-2025-25589 | 2026-06-17 | N/A | 8.1 HIGH | ||
| An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file. | |||||
| CVE-2025-24404 | 1 Apache | 1 Hertzbeat | 2026-06-17 | N/A | 8.8 HIGH |
| XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue. | |||||
| CVE-2025-1545 | 1 Watchguard | 34 Firebox M270, Firebox M290, Firebox M370 and 31 more | 2026-06-17 | N/A | 7.5 HIGH |
| An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | |||||
| CVE-2025-12921 | 1 Openclinica | 1 Openclinica | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-53675 | 1 Hpe | 1 Insight Remote Support | 2026-06-17 | N/A | 7.3 HIGH |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | |||||
| CVE-2024-53674 | 1 Hpe | 1 Insight Remote Support | 2026-06-17 | N/A | 7.3 HIGH |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | |||||
| CVE-2024-51136 | 1 Openimaj | 1 Openimaj | 2026-06-17 | N/A | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. | |||||
| CVE-2024-47113 | 1 Ibm | 1 Voice Gateway | 2026-06-17 | N/A | 8.1 HIGH |
| IBM ICP - Voice Gateway 1.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5, 1.0.6. 1.0.7, 1.0.7.1, and 1.0.8 could allow remote attacker to send specially crafted XML statements, which would allow them to attacker to view or modify information in the XML document. | |||||
| CVE-2024-42374 | 1 Sap | 1 Bex Web Java Runtime Export Web Service | 2026-06-17 | N/A | 8.2 HIGH |
| BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application. | |||||
| CVE-2024-34740 | 1 Google | 1 Android | 2026-06-17 | N/A | 7.8 HIGH |
| In attributeBytesBase64 and attributeBytesHex of BinaryXmlSerializer.java, there is a possible arbitrary XML injection due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-33858 | 1 Logpoint | 1 Siem | 2026-06-17 | N/A | 5.3 MEDIUM |
| An issue was discovered in Logpoint before 7.4.0. A path injection vulnerability is seen while adding a CSV enrichment source. The source_name parameter could be changed to an absolute path; this will write the CSV file to that path inside the /tmp directory. | |||||