CVE-2026-3813
Remote Injection Vulnerability in opencc JFlow Calculate Function
Publication date: 2026-03-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencc | jflow | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3813 is a remote code execution vulnerability in the opencc JFlow workflow system, specifically in the Calculate() method of the file src/main/java/bp/wf/httphandler/WF_CCForm.java.
The vulnerability arises because the Calculate() method uses a Java ScriptEngine to evaluate expressions without proper input filtering or sanitization, allowing attacker-controlled input to be executed as code.
Attackers can inject malicious scripts into the Tag field of the Sys_MapExt table via the Automatic Calculation (AutoFull) feature, and trigger execution by sending specially crafted HTTP POST requests to the dtlImp_Save() endpoint.
This improper handling of input leads to an injection flaw classified under CWE-74, enabling remote attackers to execute arbitrary system commands on the server hosting the JFlow application.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary system commands on the backend server with high privileges.
This can lead to full system compromise, including stealing sensitive data, implanting backdoors, tampering with business data, or causing service disruptions.
The attack is remotely exploitable without requiring local access or user interaction, making it a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-3813 involves monitoring for exploitation attempts targeting the dtlImp_Save() endpoint with specially crafted HTTP POST requests containing JSON payloads with more than 30 entries.
Specifically, detection can focus on identifying HTTP POST requests that attempt to modify the Tag field in the Sys_MapExt table with suspicious script payloads, especially those containing JavaScript code invoking system commands.
Network or system administrators can look for unusual or unexpected POST requests to the dtlImp_Save() interface, particularly those that include large JSON arrays and parameters like EnsName set to sub-table entity names.
While no explicit detection commands are provided, administrators can use web server logs or network monitoring tools to filter for POST requests to dtlImp_Save and analyze payload contents for script injection patterns.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, there are no known patches or official mitigations available for CVE-2026-3813 as the project has not responded to the issue report.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the dtlImp_Save() endpoint to trusted users or networks to prevent unauthorized exploitation.'}, {'type': 'paragraph', 'content': "Disabling or restricting the 'Automatic Calculation' (AutoFull) feature in the frontend, which allows modification of the Tag field in the Sys_MapExt table, can reduce the attack surface."}, {'type': 'paragraph', 'content': 'Monitoring and blocking suspicious HTTP POST requests with large JSON payloads targeting dtlImp_Save() can help prevent exploitation.'}, {'type': 'paragraph', 'content': 'Consider replacing the affected component with an alternative product if feasible, as suggested due to the lack of patches.'}] [1, 2]