CVE-2026-2074 - Vulnerability Details

- O2OA HTTP POST Request check xml external entity reference

Description

A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-07

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability occurs when a crafted XML payload is submitted via a POST request to the /x_program_center/jaxrs/mpweixin/check endpoint, allowing the attacker to inject an XML external entity reference. The injected entity may reference external resources or memory, potentially exposing sensitive data, and can lead to server side request forgery or denial of service. The weakness corresponds to CWE‑610 (Improper Restriction of XML External Entity Reference) and CWE‑611 (XML External Entity Injection).

Affected Systems

O2OA versions up to 9.0.0 are affected. The flaw resides in the HTTP POST Request Handler for the /x_program_center/jaxrs/mpweixin/check function. The vendor is O2OA under the Zoneland umbrella.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is less than 1 %, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and the exploit code is publicly available. Attackers can trigger the flaw remotely over the network by sending a malicious XML payload to the exposed endpoint; no special privileges or additional conditions are required beyond network connectivity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

O2OA

affected

Version	Status	Constraints
`9.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:zoneland:o2oa:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Zoneland	O2oa	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor's patch or update to a fixed O2OA version when available.
Configure the XML parser to disallow external entity references, for example by disabling DOCTYPE processing or setting the external entity feature to false.
Restrict access to the /x_program_center/jaxrs/mpweixin/check endpoint to trusted IP ranges or implement firewall rules to limit exposure.

Generated by OpenCVE AI on April 18, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00081.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/SourByte05/SourByte-Lab/issues/7
https://vuldb.com/?ctiid.344640
https://vuldb.com/?id.344640
https://vuldb.com/?submit.745486
https://vuldb.com/?submit.745489

History

Tue, 17 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:zoneland:o2oa::::::::

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zoneland Zoneland o2oa
Vendors & Products		Zoneland Zoneland o2oa

Sat, 07 Feb 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		O2OA HTTP POST Request check xml external entity reference
Weaknesses		CWE-610 CWE-611
References		https://github.com/SourByte05/SourByte-Lab/issues/7 https://vuldb.com/?ctiid.344640 https://vuldb.com/?id.344640 https://vuldb.com/?submit.745486 https://vuldb.com/?submit.745489
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Zoneland O2oa

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-07T04:02:06.652Z

Updated: 2026-02-23T09:29:26.009Z

Reserved: 2026-02-06T07:46:08.815Z

Link: CVE-2026-2074

Vulnrichment

Updated: 2026-02-10T15:24:41.275Z

NVD

Status : Analyzed

Published: 2026-02-07T05:16:12.800

Modified: 2026-02-17T19:07:40.393

Link: CVE-2026-2074

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object