Filtered by vendor
Subscriptions
Total
77 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-19144 | 2025-08-04 | 9.8 Critical | ||
XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate. | ||||
CVE-2025-3225 | 1 Llamaindex | 1 Llamaindex | 2025-07-31 | N/A |
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29. | ||||
CVE-2024-1455 | 2 Langchain, Langchain-ai | 2 Langchain, Langchain | 2025-07-30 | 5.9 Medium |
A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS). | ||||
CVE-2023-52426 | 1 Libexpat Project | 1 Libexpat | 2025-06-17 | 5.5 Medium |
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. | ||||
CVE-2019-15903 | 3 Libexpat Project, Python, Redhat | 5 Libexpat, Python, Enterprise Linux and 2 more | 2025-05-30 | 6.5 Medium |
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. | ||||
CVE-2022-34430 | 1 Dell | 1 Hybrid Client | 2025-05-19 | 7.1 High |
Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification. | ||||
CVE-2022-44641 | 2 Debian, Linaro | 2 Debian Linux, Lava | 2025-04-29 | 6.5 Medium |
In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service. | ||||
CVE-2022-23640 | 1 Excel Streaming Reader Project | 1 Excel Streaming Reader | 2025-04-23 | 9.8 Critical |
Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround. | ||||
CVE-2017-5644 | 1 Apache | 1 Poi | 2025-04-20 | N/A |
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | ||||
CVE-2017-16932 | 1 Xmlsoft | 1 Libxml2 | 2025-04-20 | N/A |
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. | ||||
CVE-2017-16931 | 1 Xmlsoft | 1 Libxml2 | 2025-04-20 | N/A |
parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name. | ||||
CVE-2016-10040 | 1 Qt | 1 Qxmlsimplereader | 2025-04-20 | N/A |
Stack-based buffer overflow in QXmlSimpleReader in Qt 4.8.5 allows remote attackers to cause a denial of service (application crash) via a xml file with multiple nested open tags. | ||||
CVE-2016-10149 | 3 Debian, Pysaml2 Project, Redhat | 3 Debian Linux, Pysaml2, Openstack | 2025-04-20 | N/A |
XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response. | ||||
CVE-2016-8734 | 2 Apache, Debian | 2 Subversion, Debian Linux | 2025-04-20 | N/A |
Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory. | ||||
CVE-2014-8080 | 4 Canonical, Opensuse, Redhat and 1 more | 5 Ubuntu Linux, Opensuse, Enterprise Linux and 2 more | 2025-04-12 | N/A |
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. | ||||
CVE-2014-8090 | 2 Redhat, Ruby-lang | 3 Enterprise Linux, Rhel Software Collections, Ruby | 2025-04-12 | N/A |
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. | ||||
CVE-2014-3243 | 1 Makina-corpus | 1 Soappy | 2025-04-12 | N/A |
SOAPpy 0.12.5 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted SOAP request containing a large number of nested entity references. | ||||
CVE-2011-1755 | 4 Apple, Fedoraproject, Jabberd2 and 1 more | 6 Mac Os X, Mac Os X Server, Fedora and 3 more | 2025-04-11 | 7.5 High |
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||||
CVE-2013-4179 | 2 Openstack, Redhat | 3 Compute, Havana, Openstack | 2025-04-11 | N/A |
The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664. | ||||
CVE-2011-3288 | 1 Cisco | 1 Unified Presence | 2025-04-11 | 7.5 High |
Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug IDs CSCtq89842 and CSCtq88547, a similar issue to CVE-2003-1564. |