CWE-643
Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Extended description
The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).
Common consequences2
- Access ControlBypass Protection Mechanism
Controlling application flow (e.g. bypassing authentication).
- ConfidentialityRead Application Data
The attacker could read restricted XML content.
Potential mitigations2
- Implementation
Use parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.
- Implementation
Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.
CVEs referencing this CWE15
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2023-36429 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | MEDIUM6.5 | 2.04%p79 | 2025-04-14 | |
| CVE-2023-36433 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | MEDIUM6.5 | 1.92%p77 | 2025-04-14 | |
| CVE-2020-25162 | A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges. | HIGH7.5 | 1.75%p75 | 2025-04-16 | |
| CVE-2023-24922 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | MEDIUM6.5 | 1.46%p70 | 2025-01-01 | |
| CVE-2024-2648 | A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of the argument username leads to improper neutralization of data within xpath expressions. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257286 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | MEDIUM5.3 | 0.73%p49 | 2025-01-30 | |
| CVE-2024-2645 | A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /vpnweb/resetpwd/resetpwd.php. The manipulation of the argument UserId leads to improper neutralization of data within xpath expressions. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257283. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | MEDIUM5.3 | 0.73%p49 | 2025-01-30 | |
| CVE-2026-24343 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0. Users are recommended to upgrade to version 1.8.0, which fixes the issue. | HIGH8.8 | 0.72%p49 | 2026-02-11 | |
| CVE-2024-8955 | A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the contents of any file in the system by exploiting the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS actions. | HIGH7.5 | 0.63%p45 | 2025-10-15 | |
| CVE-2024-39565 | An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device. While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device. This issue affects Junos OS: * All versions before 21.2R3-S8, * from 21.4 before 21.4R3-S7, * from 22.2 before 22.2R3-S4, * from 22.3 before 22.3R3-S3, * from 22.4 before 22.4R3-S2, * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S1, 23.4R2. | HIGH8.8 | 0.49%p38 | 2026-01-22 | |
| CVE-2025-20218 | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to retrieve sensitive information from an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. | MEDIUM4.9 | 0.42%p33 | 2025-08-25 | |
| CVE-2026-44962 | Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation. | CRITICAL10.0 | 0.31%p22 | 2026-05-29 | |
| CVE-2026-40699 | A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | MEDIUM6.5 | 0.27%p18 | 2026-05-13 | |
| CVE-2022-43840 | IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document. | MEDIUM4.3 | 0.24%p15 | 2025-08-15 | |
| CVE-2025-11844 | Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0. | MEDIUM5.4 | 0.23%p13 | PoC | 2025-10-30 |
| CVE-2022-50807 | Rejected reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. | MEDIUM9.8 | no EPSS | 2026-01-14 |