CVE-2026-2536
MEDIUMopencc JFlow <= 20260129 - XML External Entity Injection via File Argument in Imp_Done Function
Title source: llmDescription
A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
References (6)
Core 6
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.346124
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.346124
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.748807
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.748808
Issue Tracking exploit
issue-tracking
https://gitee.com/opencc/JFlow/issues/IDN7GT
Various Sources product
https://gitee.com/opencc/JFlow/
Scores
CVSS v3
6.3
EPSS
0.0029
EPSS Percentile
20.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-610
CWE-611
Status
published
Products (1)
opencc/JFlow
20260129
Published
Feb 16, 2026
Tracked Since
Feb 18, 2026