Skip to main content
Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-643: Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
OWASP:
- A03:2021 - Injection