{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2536", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-15T09:19:07.190Z", "datePublished": "2026-02-16T05:02:14.100Z", "dateUpdated": "2026-02-23T10:05:58.889Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:05:58.889Z"}, "title": "opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "XML External Entity Reference"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-610", "lang": "en", "description": "Externally Controlled Reference"}]}], "affected": [{"vendor": "opencc", "product": "JFlow", "versions": [{"version": "20260129", "status": "affected"}], "modules": ["Workflow Engine"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-15T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-15T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-20T07:24:21.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "MaoQiu (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346124", "name": "VDB-346124 | opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346124", "name": "VDB-346124 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.748807", "name": "Submit #748807 | https://gitee.com/opencc/JFlow JFlow latest version XML External Entity Injection (XXE)", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.748808", "name": "Submit #748808 | https://gitee.com/opencc/JFlow JFlow latest version XML External Entity Injection (XXE) (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/opencc/JFlow/issues/IDN7GT", "tags": ["exploit", "issue-tracking"]}, {"url": "https://gitee.com/opencc/JFlow/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T17:05:07.890851Z", "id": "CVE-2026-2536", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T17:05:15.429Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2536", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T17:05:07.890851Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T17:05:12.379Z"}}], "cna": {"title": "opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference", "credits": [{"lang": "en", "type": "reporter", "value": "MaoQiu (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "opencc", "modules": ["Workflow Engine"], "product": "JFlow", "versions": [{"status": "affected", "version": "20260129"}]}], "timeline": [{"lang": "en", "time": "2026-02-15T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-15T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-20T07:24:21.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346124", "name": "VDB-346124 | opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346124", "name": "VDB-346124 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.748807", "name": "Submit #748807 | https://gitee.com/opencc/JFlow JFlow latest version XML External Entity Injection (XXE)", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.748808", "name": "Submit #748808 | https://gitee.com/opencc/JFlow JFlow latest version XML External Entity Injection (XXE) (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/opencc/JFlow/issues/IDN7GT", "tags": ["exploit", "issue-tracking"]}, {"url": "https://gitee.com/opencc/JFlow/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "XML External Entity Reference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-610", "description": "Externally Controlled Reference"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:05:58.889Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2536", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:05:58.889Z", "dateReserved": "2026-02-15T09:19:07.190Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-16T05:02:14.100Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se determin\u00f3 una vulnerabilidad en opencc JFlow hasta 20260129. Esto afecta a la funci\u00f3n Imp_Done del archivo src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java del componente Workflow Engine. Esta manipulaci\u00f3n del argumento File causa una referencia a entidad externa XML. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. Se inform\u00f3 al proyecto del problema tempranamente a trav\u00e9s de un informe de problema, pero a\u00fan no ha respondido."}], "id": "CVE-2026-2536", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-16T06:16:22.063", "references": [{"source": "cna@vuldb.com", "url": "https://gitee.com/opencc/JFlow/"}, {"source": "cna@vuldb.com", "url": "https://gitee.com/opencc/JFlow/issues/IDN7GT"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346124"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346124"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.748807"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.748808"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-610"}, {"lang": "en", "value": "CWE-611"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "20260129"}}], "product": "jflow", "vendor": "opencc"}], "analysis": {"en": {"generated_at": "2026-04-18T12:09:17.220625+00:00", "value": {"mitigation_remediation": ["Check the opencc JFlow project page and vendor communications for a patched release or security update.", "If no fix is available, immediately disable external entity processing in the XML parser used by WF_Admin_AttrFlow or restrict DOCTYPE declarations.", "Implement strict input validation or schema enforcement on the File argument so that only trusted, well\u2011formed XML is accepted, and log and monitor for attempts to submit malformed XML payloads."], "summary": {"action": "Assess Impact", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw exists in the opencc JFlow Workflow Engine, specifically in the WF_Admin_AttrFlow.java file, with affected releases up to 20260129. No specific patch version is indicated, so any deployment of the vulnerable component prior to the release of a fix remains at risk.", "description_and_impact": "The vulnerability in the Imp_Done function of opencc JFlow allows an attacker to craft an XML payload that triggers an external entity reference. This type of XML External Entity (XXE) flaw can expose internal files, allow remote code execution, or cause denial\u2011of\u2011service by exhausting resources. The associated CWE identifiers 610 and 611 reflect improper access controls and external entity handling, underscoring the potential for serious information disclosure or code execution.", "risk_and_exploitability": "The CVSS score of 5.3 places the vulnerability in the medium severity range. The EPSS score of less than 1% indicates a very low but nonzero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a remotely submitted XML document that invokes the File argument in the impacted function. Because the flaw is web\u2011exposed, an attacker could drive the application to process the crafted XML from an external source, thereby activating the XXE vulnerability."}}}}, "created": "2026-02-16T09:42:28.779986+00:00", "updated": "2026-04-18T12:15:15.781246+00:00", "vendors": ["opencc", "opencc$PRODUCT$jflow"]}