Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
WSO2 Products Fail to Safely Process User-Submitted XML Data
CVE-2024-2374
Summary
WSO2's XML parsers don't safely handle user-submitted data, allowing hackers to access sensitive files or crash servers. This can lead to unauthorized data exposure or service disruptions. Update your WSO2 products to the latest version to fix this issue.
Original title
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to cra...
Original description
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.
By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
nvd CVSS3.1
7.5
Vulnerability type
CWE-611
XML External Entity (XXE)
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026