Which category encompasses threats such as XXE and XML Bombs targeting XML parsers?

Threats that target how XML parsers interpret documents fall under XML Attacks. XXE exploits take advantage of an XML parser processing external entities, which can lead to disclosure of local files, network resources, or cause SSRF-like behavior. XML Bombs, such as the billion laughs, abuse nested entity definitions to explode in size, exhausting CPU and memory and potentially crashing the parser. Both are specifically about the parsing step of XML data, not about cryptography, human tricks, or generic firewall configurations. That’s why XML Attacks is the best fit for these threats. To defend, disable external entity processing, apply parser and library patches, and implement input validation and resource-limiting measures.