CVE-2026-2074
Unknown Unknown - Not Provided
XML External Entity Injection in O2OA HTTP POST Handler

Publication date: 2026-02-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2074
EUVD
EUVD-2026-5749
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoneland o2oa to 9.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2074 is an XML External Entity (XXE) injection vulnerability found in the O2OA development platform versions 6.1.0 through 9.0.0. It exists in the HTTP POST Request Handler component, specifically in the endpoint /x_program_center/jaxrs/mpweixin/check. The vulnerability arises because the XML parser used by O2OA improperly processes XML documents containing external entity references, allowing an attacker to craft malicious XML payloads that reference external DTD files.'}, {'type': 'paragraph', 'content': 'An unauthenticated attacker can exploit this vulnerability remotely by sending a specially crafted HTTP POST request containing XML with external entity references. This triggers the XML parser to load and process the external entities, which can lead to reading arbitrary files on the server or performing out-of-band data exfiltration.'}, {'type': 'paragraph', 'content': "The vulnerability leverages the Java XML parser's behavior, which restricts internal DTD entity nesting but does not prevent exploitation via external DTD files. Attackers can use parameter entity nesting in the external DTD to trigger error-based feedback from the parser, enabling them to extract sensitive information."}] [1, 2, 3, 4]

Impact Analysis

This vulnerability can impact you by allowing attackers to read arbitrary files on the affected server, potentially exposing sensitive information such as configuration files, credentials, or other private data.

Additionally, the vulnerability can be used for out-of-band data exfiltration, meaning attackers can extract data remotely without direct access to the server.

The flaw affects the confidentiality, integrity, and availability of the system, as attackers might gain unauthorized access to sensitive data, manipulate data, or disrupt service.

Since the exploit is publicly available and requires no authentication, the risk of exploitation is significant, especially if the vulnerable O2OA platform is exposed to untrusted networks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint `/x_program_center/jaxrs/mpweixin/check` containing XML payloads with external entity references such as `<!DOCTYPE`, `<!ENTITY`, `SYSTEM`, or `PUBLIC`.'}, {'type': 'paragraph', 'content': 'One approach is to inspect network traffic or logs for suspicious XML data that includes these keywords, which indicate attempts to exploit the XML External Entity (XXE) injection.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts could include using tools like `tcpdump` or `tshark` to capture HTTP POST requests and grep for suspicious XML content.'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/x_program_center/jaxrs/mpweixin/check'"}, {'type': 'list_item', 'content': 'Using tshark to filter HTTP POST requests containing XML external entity keywords: tshark -Y \'http.request.method == "POST" && http contains "<!DOCTYPE"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Additionally, Web Application Firewalls (WAFs) can be configured to detect and block XML payloads containing these keywords to help identify exploitation attempts.'}] [3]

Mitigation Strategies

Immediate mitigation steps include restricting outbound network connections from the O2OA server to prevent it from accessing external HTTP services, which blocks out-of-band data exfiltration.

Configuring a Web Application Firewall (WAF) to detect and block XML payloads containing keywords such as `<!DOCTYPE`, `<!ENTITY`, `SYSTEM`, or `PUBLIC` can help prevent exploitation.

At the application level, modifying the XML processing logic to disable DTD processing and external entity resolution is recommended to effectively prevent XXE attacks.

Since no official patch or fix is currently available, consider isolating or replacing the affected product if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart