XXE stands for XML External Entity. It is a type of security vulnerability that occurs when an application parses XML input containing references to external entities. In XML, entities are placeholders that can be used to represent data. External entities are entities whose contents are defined outside the XML document itself. When an application is vulnerable to XXE, an attacker may be able to include external entities in the XML input, leading to various security risks. The most common exploitation involves reading files on the server.
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY bigkak SYSTEM 'file:///flag'>
]>
<order>
<food>&bigkak;</food>
</order>