XSLT Injection


It is possible to supply an XSL template to a server-side XSLT processor. XSLT processors can be abused to read or write files, initiate outbound connections, and in some cases execute arbitrary code.


Applications should never accept user-supplied style sheets. XSLT processors are not built to handle potentially malicious stylesheet files. However, some processors do implement or offer security features which may be available. Consult the documentation for the XSLT processor used by the target application for security guidelines and hardening steps. It is recommended that all XML parsers and processors at the very least disable external entity resolution.


ID Aggregated CWE Type Risk
74.1 false 74 Active high