CVE-2026-2536
Unknown Unknown - Not Provided
XML External Entity Injection in opencc JFlow Workflow Engine

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2536
EUVD
EUVD-2026-6126
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opencc jflow to 20260129 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system running the affected JFlow Workflow Engine.'}, {'type': 'list_item', 'content': 'Disclosure of arbitrary local files such as sensitive configuration files, private keys, or system files like /etc/passwd.'}, {'type': 'list_item', 'content': 'Server-Side Request Forgery (SSRF), allowing attackers to interact with internal services that are otherwise inaccessible.'}, {'type': 'list_item', 'content': 'Denial-of-Service (DoS) attacks through XML bomb techniques like the "Billion Laughs" attack, potentially causing service disruption.'}, {'type': 'paragraph', 'content': 'The exploit is easy to execute remotely, and no patches or mitigations are currently available, increasing the risk of successful attacks.'}] [1, 2, 5]

Compliance Impact

I don't know

Executive Summary

CVE-2026-2536 is an XML External Entity (XXE) vulnerability found in the opencc JFlow Workflow Engine, specifically in the Imp_Done function of the WF_Admin_AttrFlow.java file. The vulnerability occurs because the XML parser (SAXReader) used to process uploaded XML files is not securely configured, allowing attackers to manipulate the XML input to include external entity references.

This flaw enables an attacker to upload malicious XML files containing external entity declarations that can reference local files or external resources. When parsed, these entities can cause unauthorized disclosure of local files, server-side request forgery (SSRF), or denial-of-service (DoS) attacks.

The vulnerability can be exploited remotely by sending crafted XML payloads to the vulnerable endpoint, and a proof-of-concept exploit is publicly available.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to upload or process XML files containing external entity declarations or DOCTYPE definitions referencing external DTDs. Specifically, look for HTTP POST requests to the endpoint /WF/Comm/ProcessRequest with multipart/form-data containing XML payloads that include DOCTYPE declarations referencing external entities.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and inspect network traffic or logs for XML payloads with suspicious DOCTYPE or ENTITY declarations that attempt to load external resources.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint and grep for XML external entity patterns.'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/WF/Comm/ProcessRequest'"}, {'type': 'list_item', 'content': "Searching server logs for XML payloads containing DOCTYPE or ENTITY declarations: grep -i -E '<!DOCTYPE|<!ENTITY' /path/to/server/logs/*"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual outbound HTTP requests from the server to attacker-controlled domains (as the exploit exfiltrates data via HTTP requests) can help detect exploitation attempts.'}] [4]

Mitigation Strategies

Currently, there are no known patches or countermeasures provided by the opencc JFlow project for this vulnerability.

Immediate mitigation steps include:

  • Avoid using the vulnerable versions of opencc JFlow up to 20260129.
  • Consider disabling or restricting the XML import functionality that processes external entities, if possible.
  • Implement network-level controls to block outbound HTTP requests from the server to untrusted external hosts to prevent data exfiltration.
  • Monitor and restrict uploads of XML files or validate XML inputs to disallow external entity declarations.

Ultimately, consider migrating to alternative products or workflow engines that do not have this vulnerability until an official fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart