Cyber Posture

CWE · MITRE source

CWE-611Improper Restriction of XML External Entity Reference

Abstraction: Base · CVEs in our corpus: 1,233

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (2)AI

Control Title Family Why it addresses this CWE
CA-8Penetration TestingCAPenetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.
SI-4System MonitoringSIIdentifies XML external entity processing via monitoring of unusual file/network access or resource usage.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2019-9670 KEV9.69.80.94432019-05-29
CVE-2024-34102 KEV9.69.80.94132024-06-13
CVE-2025-58360 KEV8.88.20.85922025-11-25
CVE-2025-2775 KEV8.09.30.69262025-05-07
CVE-2019-13608 KEV7.87.50.71262019-08-29
CVE-2017-126297.69.80.93892017-10-14
CVE-2022-282197.69.80.94202022-04-05
CVE-2025-2776 KEV7.69.30.62602025-05-07
CVE-2024-220247.38.30.94252024-02-13
CVE-2020-245897.29.10.90162020-08-21
CVE-2021-279317.29.10.89422021-03-03
CVE-2022-39807.29.80.87962022-11-16
CVE-2020-119917.17.50.93142020-09-11
CVE-2022-316787.09.10.85962022-10-28
CVE-2024-68937.07.50.91392024-08-08
CVE-2022-24146.97.50.90692022-07-29
CVE-2024-386536.97.50.90732024-08-14
CVE-2016-9563 KEV6.86.50.58782016-11-23
CVE-2020-44636.88.20.85752020-07-29
CVE-2021-294476.87.10.89982021-04-15
CVE-2018-23926.77.50.86382018-02-14
CVE-2019-97576.77.50.86102019-10-29
CVE-2018-12856.39.80.72072020-05-11
CVE-2024-452935.77.50.70312024-10-07
CVE-2011-36005.47.50.65582019-11-26