---
type: "term"
title: "XXE (XML External Entity) Injection"
description: "An implementation flaw where an application processes XML input containing references to external entities, potentially leading to data disclosure, SSRF, or denial of service."
resource: "tlctc:term:xxe-xml-external-entity-injection"
tags:
  - "glossary"
---
# XXE (XML External Entity) Injection

An implementation flaw where an application processes XML input containing references to external entities, potentially leading to data disclosure, SSRF, or denial of service. In TLCTC: maps to `#2 Exploiting Server` (or `#3 Exploiting Client` per R-ROLE) — a coding flaw in XML parsing that creates an unintended data→code transition.

**Reference:** V1.9.1 Buzz-Word Refinement (#2)

See also: Exploiting Server (#2), SSRF, Implementation Flaw

---