XXE exploits poorly configured XML parsers that process external entity references — reading local files (/etc/passwd), SSRF to internal services, or DoS via recursive entities.
Most critical finding when identified: XXE in cloud environments often leads to SSRF → cloud metadata → IAM credentials → full account compromise. Prevention: disable external entity processing in all XML parsers. JSONify APIs where possible.