JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
{ "vanir_signatures": [ { "target": { "function": "parseSoapMethodName", "file": "javamelody-core/src/main/java/net/bull/javamelody/PayloadNameRequestWrapper.java" }, "signature_type": "Function", "source": "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353", "id": "CVE-2018-15531-1461a3f0", "signature_version": "v1", "deprecated": false, "digest": { "function_hash": "290680416238790860849901946091720060384", "length": 701.0 } }, { "target": { "file": "javamelody-core/src/main/java/net/bull/javamelody/PayloadNameRequestWrapper.java" }, "signature_type": "Line", "source": "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353", "id": "CVE-2018-15531-daa3a8d6", "signature_version": "v1", "deprecated": false, "digest": { "line_hashes": [ "328692930432441516103607652630260348373", "298394040672344309547826861720471087794", "193106074442589336721762830267992845355", "180543439916777456920344304702845623167" ], "threshold": 0.9 } } ] }