Executive Summary

CVE-2026-36765 is an XML External Entity (XXE) vulnerability found in the SpringBlade framework's blade-report module, specifically in the /ureport/designer/loadReport endpoint.

The vulnerability arises because the XML parser used (SAXParser) does not disable external entity resolution or DOCTYPE declarations, allowing an authenticated attacker to inject a malicious XML payload.

An attacker can upload a crafted XML report containing an XXE payload via the POST /ureport/designer/saveReportFile endpoint. This payload is stored in the database and triggered when the report is loaded, enabling the attacker to read arbitrary files on the server, perform server-side request forgery (SSRF), or cause denial of service attacks.

The root cause is the default configuration of the XML parser in UReport2's ReportParser class, which automatically resolves external entities without security hardening.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Arbitrary file reads on the server, potentially exposing sensitive information such as configuration files or user data.
• Server-side request forgery (SSRF), allowing attackers to make unauthorized network requests from the server.
• Denial of service attacks, for example through payloads like the Billion Laughs attack, which can exhaust server resources.

Overall, exploitation can lead to data breaches, service disruption, and unauthorized access to internal systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable endpoints and testing for XML External Entity (XXE) injection attempts. Specifically, the `/ureport/designer/loadReport` and `/ureport/designer/saveReportFile` endpoints should be inspected.

One way to detect exploitation attempts is to monitor HTTP POST requests to `/ureport/designer/saveReportFile` containing XML payloads with suspicious DOCTYPE declarations or ENTITY definitions, such as `<!ENTITY xxe SYSTEM "file:///etc/passwd">`.

Commands to test or detect the vulnerability might include using curl or similar tools to send crafted XML payloads to the saveReportFile endpoint and observe if the server processes external entities:

• curl -X POST -H "Content-Type: application/xml" --data-binary @payload.xml https://target/ureport/designer/saveReportFile
• Where `payload.xml` contains an XXE payload such as: <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <report>&xxe;</report>

Additionally, monitoring server logs for unusual file read attempts or SSRF activity triggered by the XML parser resolving external entities can help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling the `/ureport/designer/*` endpoints in production environments to prevent exploitation.

Apply code-level fixes to the XML parser configuration by disabling external entity resolution and DOCTYPE declarations in the SAXParser used by UReport2's ReportParser class.

Sanitize XML content before storing it in the database to prevent malicious payloads from being saved and later triggered.

Consider migrating to a maintained and secure reporting engine, as UReport2 is no longer maintained and contains other known vulnerabilities.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-36765 vulnerability allows authenticated attackers to execute arbitrary code and read sensitive files on the server by exploiting an XML External Entity (XXE) flaw in SpringBlade's reporting module.

This exposure of sensitive data and potential unauthorized access could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on personal and sensitive information.

Specifically, the ability to read arbitrary files or perform server-side request forgery may result in unauthorized disclosure of personal data, undermining confidentiality and integrity requirements mandated by these standards.

Therefore, organizations using affected versions of SpringBlade must address this vulnerability promptly to maintain compliance with common data protection regulations.

Useful 0 Not Useful 0