What type of security risk can disclose internal files and cause remote code execution?

The correct answer identifies XML external entity (XXE) as a security risk capable of disclosing internal files and enabling remote code execution. XXE attacks exploit vulnerabilities in the XML parser's handling of external entities. When an XML input containing an external entity reference is processed, it can lead to unintended access to file systems, revealing sensitive internal files. This exposure occurs because the XML parser may access file paths specified in the XML content and return their contents to the attacker, thus breaching confidentiality.

Moreover, XXE vulnerabilities can allow an attacker to initiate outbound connections, which can lead to remote code execution scenarios. By crafting specific XML payloads, the attacker can instruct the vulnerable application to make web requests to external servers, potentially allowing for the execution of malicious code hosted by the attacker.

While SQL Injection, session hijacking, and cross-site scripting are all significant web security risks, they do not specifically lead to the same type of disclosure of internal files or facilitate remote code execution through the exploitation of XML parsers. SQL Injection primarily targets databases, session hijacking focuses on manipulating session tokens, and cross-site scripting is aimed at executing scripts in the context of the user's browser. Each has its own implications for security but does not encompass the precise mechanics of file