XXE exploits XML parsers that process external entities — reading local files (/etc/passwd), SSRF to internal services, or DoS via recursive entity expansion.
XXE in cloud → SSRF → AWS IMDS → IAM credentials → full account compromise. Prevention: disable external entity processing in ALL XML parsers (most enable it by default). OWASP Top 10 — critical and often overlooked. Move to JSON APIs where possible.