CVE-2026-2536

Name of the Vulnerable Software and Affected Versions opencc JFlow versions prior to 20260129

Description A flaw exists in opencc JFlow’s Workflow Engine component, specifically within the Imp Done function of the src/main/java/bp/wf/httphandler/WF Admin AttrFlow.java file. This issue stems from the manipulation of the File argument, leading to XML External Entity (XXE) reference. The attack can be initiated remotely. The details of this issue have been publicly disclosed, and the project has been notified but has not yet responded.

Recommendations Update opencc JFlow to a version later than 20260129. As a temporary workaround, restrict access to the WF Admin AttrFlow.java file. Avoid using the File argument in the Imp Done function until the issue is resolved.