CWE-776 · Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)
31 CVEs classified under CWE-776 (Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-32623 | High | 8.1 | 2021-06-15 | Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laugh… |
CVE-2026-31248 | High | 7.5 | 2026-05-11 | Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives… |
CVE-2026-33036 | High | 7.5 | 2026-03-20 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vul… |
CVE-2026-29074 | High | 7.5 | 2026-03-06 | SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from ver… |
CVE-2026-26278 | High | 7.5 | 2026-02-19 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4… |
CVE-2025-3225 | High | 7.5 | 2025-07-07 | An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifica… |
CVE-2023-28118 | High | 7.5 | 2023-03-20 | kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and alias… |
CVE-2011-3288 | High | 7.5 | 2011-10-06 | Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (me… |
CVE-2011-1755 | High | 7.5 | 2011-06-21 | jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU c… |
CVE-2024-28982 | High | 7.1 | 2024-06-26 | Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of th… |
CVE-2023-38490 | Medium | 6.8 | 2023-07-27 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the… |
CVE-2025-0617 | Medium | 5.9 | 2025-01-29 | An attacker with access to an HX 10.0.0 and previous versions, may send specially-crafted data to the HX console. The malicious detection would then trigger… |
CVE-2024-43398 | Medium | 5.9 | 2024-08-22 | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local nam… |
CVE-2024-27142 | Medium | 5.9 | 2024-06-14 | Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a ti… |
CVE-2024-27141 | Medium | 5.9 | 2024-06-14 | Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a ti… |
CVE-2024-1455 | Medium | 5.9 | 2024-03-26 | A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multi… |
CVE-2017-5644 | Medium | 5.5 | 2017-03-24 | Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an… |
CVE-2026-23822 | Medium | 5.3 | 2026-05-12 | A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. S… |
CVE-2021-31842 | Medium | 5.0 | 2021-09-17 | XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiat… |
CVE-2026-27807 | Medium | 4.9 | 2026-03-06 | MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML file… |