CVE-2026-2536

MEDIUM

opencc JFlow <20260129 - XXE

Title source: llm

Description

A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

References (6)

[Permissions Required, VDB Entry] https://vuldb.com/?id.346124

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.346124

[Permissions Required, VDB Entry] https://vuldb.com/?submit.748807

[Permissions Required, VDB Entry] https://vuldb.com/?submit.748808

[Issue Tracking] https://gitee.com/opencc/JFlow/issues/IDN7GT

[Various Sources] https://gitee.com/opencc/JFlow/

Scores

CVSS v3 6.3

EPSS 0.0003

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-610 CWE-611

Status published

Products (1)

opencc/JFlow 20260129

Published Feb 16, 2026

Tracked Since Feb 18, 2026