XXE

XML External Entity (XXE) injection is a vulnerability that exploits weakly configured XML parsers that process external entity references. An attacker can use XXE to read local files from the server (like /etc/passwd or private keys), perform server-side request forgery (SSRF), or cause denial of service via "billion laughs" attacks. XXE is in the OWASP Top 10. Prevention requires disabling external entity processing in XML parsers and using safer data formats like JSON where possible.

Why it matters for your website

• 1Listed in the OWASP Top 10 — one of the most critical web risks
• 2Can lead to data exfiltration, account takeover, or full system compromise
• 3Required to fix before passing security reviews for enterprise customers