CVE-2026-2536
XML External Entity Injection in opencc JFlow Workflow Engine
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencc | jflow | to 20260129 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system running the affected JFlow Workflow Engine.'}, {'type': 'list_item', 'content': 'Disclosure of arbitrary local files such as sensitive configuration files, private keys, or system files like /etc/passwd.'}, {'type': 'list_item', 'content': 'Server-Side Request Forgery (SSRF), allowing attackers to interact with internal services that are otherwise inaccessible.'}, {'type': 'list_item', 'content': 'Denial-of-Service (DoS) attacks through XML bomb techniques like the "Billion Laughs" attack, potentially causing service disruption.'}, {'type': 'paragraph', 'content': 'The exploit is easy to execute remotely, and no patches or mitigations are currently available, increasing the risk of successful attacks.'}] [1, 2, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-2536 is an XML External Entity (XXE) vulnerability found in the opencc JFlow Workflow Engine, specifically in the Imp_Done function of the WF_Admin_AttrFlow.java file. The vulnerability occurs because the XML parser (SAXReader) used to process uploaded XML files is not securely configured, allowing attackers to manipulate the XML input to include external entity references.
This flaw enables an attacker to upload malicious XML files containing external entity declarations that can reference local files or external resources. When parsed, these entities can cause unauthorized disclosure of local files, server-side request forgery (SSRF), or denial-of-service (DoS) attacks.
The vulnerability can be exploited remotely by sending crafted XML payloads to the vulnerable endpoint, and a proof-of-concept exploit is publicly available.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to upload or process XML files containing external entity declarations or DOCTYPE definitions referencing external DTDs. Specifically, look for HTTP POST requests to the endpoint /WF/Comm/ProcessRequest with multipart/form-data containing XML payloads that include DOCTYPE declarations referencing external entities.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and inspect network traffic or logs for XML payloads with suspicious DOCTYPE or ENTITY declarations that attempt to load external resources.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint and grep for XML external entity patterns.'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/WF/Comm/ProcessRequest'"}, {'type': 'list_item', 'content': "Searching server logs for XML payloads containing DOCTYPE or ENTITY declarations: grep -i -E '<!DOCTYPE|<!ENTITY' /path/to/server/logs/*"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual outbound HTTP requests from the server to attacker-controlled domains (as the exploit exfiltrates data via HTTP requests) can help detect exploitation attempts.'}] [4]
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known patches or countermeasures provided by the opencc JFlow project for this vulnerability.
Immediate mitigation steps include:
- Avoid using the vulnerable versions of opencc JFlow up to 20260129.
- Consider disabling or restricting the XML import functionality that processes external entities, if possible.
- Implement network-level controls to block outbound HTTP requests from the server to untrusted external hosts to prevent data exfiltration.
- Monitor and restrict uploads of XML files or validate XML inputs to disallow external entity declarations.
Ultimately, consider migrating to alternative products or workflow engines that do not have this vulnerability until an official fix is released.