CVE-2026-2252

An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-026-005-for-Xerox-Freeflow-Core.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xerox:freeflow_core:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-27 09:16

Updated : 2026-03-02 18:24

NVD link : CVE-2026-2252

Mitre link : CVE-2026-2252

CVE.ORG link : CVE-2026-2252

JSON object : View

Products Affected

xerox

freeflow_core

CWE

CWE-611

Improper Restriction of XML External Entity Reference

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-2252", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "10b61619-3869-496c-8a1e-f291b0e71e3f", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-27T09:16:17.130", "references": [{"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-026-005-for-Xerox-Freeflow-Core.pdf", "tags": ["Vendor Advisory"], "source": "10b61619-3869-496c-8a1e-f291b0e71e3f"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "10b61619-3869-496c-8a1e-f291b0e71e3f", "description": [{"lang": "en", "value": "CWE-611"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references.\n\nThis issue affects Xerox FreeFlow Core versions up to and including 8.0.7.\u00a0\n\nPlease consider upgrading to FreeFlow Core version 8.1.0 via the software available on -\u00a0 https://www.support.xerox.com/en-us/product/core/downloads"}, {"lang": "es", "value": "Una vulnerabilidad de Entidad Externa XML (XXE) permite a un usuario malintencionado realizar una falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) a trav\u00e9s de una entrada XML manipulada que contiene referencias a entidades externas maliciosas.\n\nEste problema afecta a las versiones de Xerox FreeFlow Core hasta la 8.0.7 inclusive.\n\nConsidere actualizar a la versi\u00f3n 8.1.0 de FreeFlow Core a trav\u00e9s del software disponible en - https://www.support.xerox.com/en-us/product/core/downloads"}], "lastModified": "2026-03-02T18:24:05.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xerox:freeflow_core:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB016BFC-2C5B-4CFA-BC3C-B5A9DBF893F1", "versionEndExcluding": "8.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "10b61619-3869-496c-8a1e-f291b0e71e3f"}