CVE-2018-20318

CRITICAL

.weixin-java-tools <3.2.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-20318. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only configuration files, documentation, and source code for a Java SDK without any exploit code or technical analysis of CVE-2018-20318.

Description

An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-20318-weixin-java-tools-vulnerable

The repository contains only configuration files, documentation, and source code for a Java SDK without any exploit code or technical analysis of CVE-2018-20318.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: weixin-java-tools
No auth needed
Prerequisites: none
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-20318-weixin-java-tools-vulnerable

This repository contains a vulnerable version of the weixin-java-tools SDK, which is affected by CVE-2018-20318. The repository includes source code, build configurations, and documentation but does not contain an explicit exploit PoC.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: weixin-java-tools SDK
No auth needed
Prerequisites: Access to a vulnerable version of the weixin-java-tools SDK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Wechat-Group/weixin-java-tools/issues/889

Scores

CVSS v3 9.8
EPSS 0.0166
EPSS Percentile 73.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-611
Status published
Products (1)
wxjava_project/wxjava 3.2.0
Published Dec 21, 2018
Tracked Since Feb 18, 2026