CVE-2025-2776

CRITICAL Year: 2025
CVSS v3 Score
9.3
Critical
Weakness Type
CWE-611
View all →

Vulnerability Description

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.

Related Vulnerabilities

CVE-2019-10309

CRITICAL
CVSS:9.3(Critical)

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing u...

CWE-6112019

CVE-2020-6238

CRITICAL
CVSS:9.3(Critical)

SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and av...

CWE-6112020

CVE-2025-2775

CRITICAL
CVSS:9.3(Critical)

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and...

CWE-6112025

CVE-2025-2777

CRITICAL
CVSS:9.3(Critical)

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and fi...

CWE-6112025

CVE-2018-3881

CRITICAL
CVSS:9.4(Critical)

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server t...

CWE-6112018

CVE-2012-2239

CRITICAL
CVSS:9.1(Critical)

Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading...

CWE-6112012