JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
{ "vanir_signatures": [ { "source": "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353", "deprecated": false, "target": { "file": "javamelody-core/src/main/java/net/bull/javamelody/PayloadNameRequestWrapper.java", "function": "parseSoapMethodName" }, "signature_version": "v1", "digest": { "length": 701.0, "function_hash": "290680416238790860849901946091720060384" }, "signature_type": "Function", "id": "CVE-2018-15531-1461a3f0" }, { "source": "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353", "deprecated": false, "target": { "file": "javamelody-core/src/main/java/net/bull/javamelody/PayloadNameRequestWrapper.java" }, "signature_version": "v1", "digest": { "line_hashes": [ "328692930432441516103607652630260348373", "298394040672344309547826861720471087794", "193106074442589336721762830267992845355", "180543439916777456920344304702845623167" ], "threshold": 0.9 }, "signature_type": "Line", "id": "CVE-2018-15531-daa3a8d6" } ] }