Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-91

CWE-91

XML Injection (aka Blind XPath Injection)

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

128 vulnerabilities with CWE-91

CVE-2026-53723 MEDIUM

guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator

CVE-2026-46490 HIGH

samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions

CVE-2026-11169 HIGH

Google Chrome - XSS

CVE-2026-47273 MEDIUM

pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries

CVE-2026-40165 HIGH

authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation

CVE-2026-44665 MEDIUM

fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes

CVE-2026-44664 MEDIUM

fast-xml-builder: Comment Value bypass regex

CVE-2026-41650 MEDIUM

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

CVE-2026-41675 HIGH

xmldom: XML node injection through unvalidated processing instruction serialization

CVE-2026-41674 HIGH

xmldom: XML injection through unvalidated DocumentType serialization

CVE-2026-41672 HIGH

xmldom: XML node injection through unvalidated comment serialization

CVE-2026-27693 MEDIUM

traccar allows XML injection in KML and GPX exports

CVE-2026-32870 HIGH

Kirby has XML injection in its XML creator toolkit

CVE-2026-34601 HIGH

xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion

CVE-2026-28770 HIGH

International Datacasting SFX Series SuperFlex Web Interface 101 Authenticated XML Injection

CVE-2026-1554 MEDIUM

Drupal Central Authentication System (CAS) Server < 2.0.3 and 2.1.0-2.1.2 - XML Injection

CVE-2025-1545 HIGH

WatchGuard Fireware OS <12.11.4-12.5.13 - Info Disclosure

CVE-2025-66034 MEDIUM

fonttools 4.33.0-4.60.1 - Remote Code Execution via Malicious .designspace File Processing

CVE-2025-12921 MEDIUM

OpenClinica Community Edition <3.12.2/3.13 - XML Injection

CVE-2025-7473 MEDIUM

Zohocorp ManageEngine EndPoint Central <11.4.2516.1 - XML Injection

CVE-2025-60833 MEDIUM

uzy-ssm-mall 1.1.0 - XML External Entity Injection in /mall/wxpay/pay

CVE-2025-54251 MEDIUM

Adobe Experience Manager <6.5.23.0 - Code Injection

CVE-2025-24404 HIGH

Apache HertzBeat < 1.7.0 - Authenticated XML Injection via Sitemap XML Parsing

CVE-2025-9375 MEDIUM

xmltodict 0.14.2-0.15.0 - XML Injection via Unsanitized Element Names

CVE-2025-47184 MEDIUM

Exagid EX10 <6.4.0 P20-7.2.0 P08 - SSRF

Page 1 of 6 Next

Details

Vulnerabilities 128

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy