Top XXE reports from HackerOne:
- XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 311 upvotes, $0
- XXE on pulse.mail.ru to Mail.ru - 264 upvotes, $6000
- XXE on sms-be-vip.twitter.com in SXMP Processor to X (Formerly Twitter) - 251 upvotes, $0
- XXE on https://duckduckgo.com to DuckDuckGo - 212 upvotes, $0
- Phone Call to XXE via Interactive Voice Response to ██████ - 171 upvotes, $0
- Partial bypass of #483774 with Blind XXE on https://duckduckgo.com to DuckDuckGo - 151 upvotes, $0
- Multiple endpoints are vulnerable to XML External Entity injection (XXE) to Pornhub - 138 upvotes, $2500
- XXE through injection of a payload in the XMP metadata of a JPEG file to Informatica - 131 upvotes, $0
- XXE Injection through SVG image upload leads to SSRF to Zivver - 112 upvotes, $0
- XXE in Site Audit function exposing file and directory contents to Semrush - 102 upvotes, $0
- XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 91 upvotes, $0
- [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com to Pornhub - 90 upvotes, $0
- Blind XXE via Powerpoint files to Open-Xchange - 86 upvotes, $2000
- LFI and SSRF via XXE in emblem editor to Rockstar Games - 72 upvotes, $1500
- blind XXE in autodiscover parser to Mail.ru - 70 upvotes, $0
- Blind OOB XXE At "http://ubermovement.com/" to Uber - 55 upvotes, $500
- XXE на webdav.mail.ru - PROPFIND/PROPPATCH to Mail.ru - 54 upvotes, $0
- XXE on ██████████ by bypassing WAF ████ to QIWI - 53 upvotes, $0
- [rev-app.informatica.com] - XXE to Informatica - 44 upvotes, $0
- RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 44 upvotes, $0
- XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 41 upvotes, $0
- Authenticated XXE to WordPress - 40 upvotes, $0
- XML Parser Bug: XXE over which leads to RCE to drchrono - 34 upvotes, $0
- [HTA2] XXE on https://███ via SpellCheck Endpoint. to U.S. Dept Of Defense - 33 upvotes, $0
- XXE on DoD web server to U.S. Dept Of Defense - 31 upvotes, $0
- Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 to Starbucks - 30 upvotes, $0
- [app.informaticaondemand.com] XXE to Informatica - 24 upvotes, $0
- Blind XXE on my.mail.ru to Mail.ru - 23 upvotes, $800
- Non-production Open Database In Combination With XXE Leads To SSRF to Evernote - 23 upvotes, $0
- XXE in upload file feature to Informatica - 21 upvotes, $0
- [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ to QIWI - 18 upvotes, $0
- Blind XXE on pu.vk.com to VK.com - 16 upvotes, $500
- AEM forms XXE Vulnerability to Adobe - 15 upvotes, $0
- XXE in the Connector Designer to Bime - 13 upvotes, $0
- [marketplace.informatica.com] - XXE to Informatica - 13 upvotes, $0
- blind XXE when uploading avatar in mymail phone app to Mail.ru - 12 upvotes, $1000
- OOB XXE to Mail.ru - 12 upvotes, $500
- [rev-app.informatica.com] - XXE via SAML to Informatica - 11 upvotes, $0
- [marketplace.informatica.com] - XXE to Informatica - 11 upvotes, $0
- XXE issue to Moneybird - 11 upvotes, $0
- h1-5411-CTF report: LFI / Deserialization / XXE vulnerability, to h1-5411-CTF - 8 upvotes, $0
- [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB to Uber - 8 upvotes, $0
- XXE крит to Mail.ru - 7 upvotes, $0
- XXE in Enterprise Search's App Search web crawler to Elastic - 7 upvotes, $0
- XXE on www.publish.engelvoelkers.com to Engel & Völkers Technology GmbH - 7 upvotes, $0
- XXE at Informatica sub-domain to Informatica - 6 upvotes, $0
- [Java]: Add XXE sinks to GitHub Security Lab - 6 upvotes, $0
- OOB XXE to Mail.ru - 5 upvotes, $500
- [Python]: CWE-611: XXE to GitHub Security Lab - 4 upvotes, $1800
- XXE and SSRF on webmaster.mail.ru to Mail.ru - 4 upvotes, $0
- XXE in OAuth2 Applications gallery profile App logo to Coinbase - 3 upvotes, $0
- XXE at host vpn.owncloud.com to ownCloud - 2 upvotes, $0
- Pippo XML Entity Expansion (Billion Laughs Attack) to Central Security Project - 1 upvotes, $0