Description
An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references.

This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. 

Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on -  https://www.support.xerox.com/en-us/product/core/downloads
Published: 2026-02-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery via XML External Entity leading to potential internal network exposure
Action: Patch Immediately
AI Analysis

Impact

This vulnerability allows a malicious user to supply crafted XML containing external entity references, resulting in a server‑side request forgery (SSRF). The attacker can force the affected service to reach arbitrary internal or external resources, potentially exfiltrating data or enabling further compromise. The weakness is an XML External Entity (CWE‑611) that can be abused for SSRF (CWE‑918).

Affected Systems

Xerox FreeFlow Core, versions up to and including 8.0.7, are affected. The vendor recommends upgrading to version 8.1.0 to remediate the issue.

Risk and Exploitability

With a CVSS base score of 7.5 the vulnerability is considered high. The EPSS indicates a very low exploitation probability (<1%) and it is not listed in the CISA KEV catalog, but the presence of SSRF capabilities still warrants prompt action. Exploitation is possible from remote input where the attacker can control XML payloads—likely via any service that accepts XML input. Only basic network connectivity is required to trigger the SSRF.

Generated by OpenCVE AI on April 16, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Xerox FreeFlow Core to version 8.1.0 using the download from Xerox support.
  • If the upgrade cannot be performed immediately, reconfigure the XML parser to reject all external entity references and disable external entity loading.
  • Continuously monitor outbound traffic and system logs for unexpected internal or external connections that could indicate SSRF attempts.

Generated by OpenCVE AI on April 16, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xerox:freeflow_core:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Xerox
Xerox freeflow Core
Vendors & Products Xerox
Xerox freeflow Core

Fri, 27 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.  Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on -  https://www.support.xerox.com/en-us/product/core/downloads
Title XML External Entity (XXE) vulnerability resulting in Server-Side Request Forgery (SSRF)
Weaknesses CWE-611
CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Xerox Freeflow Core
cve-icon MITRE

Status: PUBLISHED

Assigner: Xerox

Published:

Updated: 2026-03-06T15:34:24.049Z

Reserved: 2026-02-09T14:29:08.541Z

Link: CVE-2026-2252

cve-icon Vulnrichment

Updated: 2026-03-06T15:34:20.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T09:16:17.130

Modified: 2026-03-02T18:24:05.843

Link: CVE-2026-2252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses