CVE-2026-2536

CVSS v2.0

6.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions opencc JFlow versions prior to 20260129

Description A flaw exists in opencc JFlow’s Workflow Engine component, specifically within the

Imp Done

function of the

src/main/java/bp/wf/httphandler/WF Admin AttrFlow.java

file. This issue stems from the manipulation of the

File

argument, leading to XML External Entity (XXE) reference. The attack can be initiated remotely. The details of this issue have been publicly disclosed, and the project has been notified but has not yet responded.

Recommendations Update opencc JFlow to a version later than 20260129. As a temporary workaround, restrict access to the

WF Admin AttrFlow.java

file. Avoid using the

File

argument in the

Imp Done

function until the issue is resolved.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-610CWE-611

Related Identifiers

CVE-2026-2536

Affected Products

Opencc Jflow

CVE-2026-2536

Weakness Enumeration

Related Identifiers

Affected Products

References · 9