In 2002-2003 I researched the security of XML (including XPath) and SOAP formats.
The research resulted in the following:
Whitepaper:
Blind XPath Injection, (May 2004)
Advisories:
BugTraq BID 11384, CVE-2003-0718, Microsoft security bulletin MS04-030
Products affected: Microsoft IIS/5.0, IIS/5.1 and IIS/6.0
BugTraq BID 11312, CVE-2004-1575
Products affected: Apache Xerces-C++ 2.5.0
BugTraq BID 9877, CVE-2004-1815, CVE-2004-1816
Products affected: Macromedia ColdFusion/MX, Macromedia JRun, Sun Java System Application Server
BugTraq BID 9204
Products affected: IBM WebSphere 5.0.0, Microsoft ASP.NET
BugTraq BID 9185
Products affected: Microsoft ASP.NET, IBM WebSphere, Macromedia ColdFusion/MX, Macromedia JRun
BugTraq BID 6398, BugTraq BID 6378, BugTraq BID 6363, BugTraq BID 9703, CVE-2004-2244
Affected products: Apache Axis, IBM WebSphere, BEA WebLogic, Sun Microsystems SunONE WebServer, Sybase EAServer, Macromedia ColdFusion/MX, Macromedia JRun, HP server, Oracle 9iAS