Description
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.
Published: 2026-03-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized read of arbitrary server files and internal network access via XML external entity processing
Action: Apply Patch
AI Analysis

Impact

This issue is an XML External Entity (XXE) injection that impacts Tolgee’s translation import feature. When the platform processes Android XML or ResX files without disabling external entity handling, a specially crafted file can be used to cause the server to read files from its own file system or to make outbound requests to internal services. The result is a breach of confidentiality and a potential side‑channel to internal resources, though no denial of service or arbitrary code execution was reported.

Affected Systems

All deployments of the Tolgee Platform before release 3.166.3 are affected. The flaw exists regardless of file type and is only exploitable by users who have permission to import translations – that is, authenticated users within projects. Version 3.166.3 and later patch the XML parsers to disable external entity processing, eliminating the vulnerability.

Risk and Exploitability

The CVSS score of 9.3 classifies this vulnerability as critical. The EPSS score is below 1%, and it is not listed in the CISA KEV catalog, indicating that public exploitation has not been observed. It is inferred that the likely attack vector is the translation import interface where a malicious file is uploaded. Because exploitation requires an authenticated user with import rights, the threat is limited to environments where such permissions are granted. An attacker who can authenticate as such a user can read arbitrary files on the server and cause internal network requests, but no arbitrary code execution is possible.

Generated by OpenCVE AI on March 20, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tolgee Platform to version 3.166.3 or later, which disables XML external entity processing during translation imports.

Generated by OpenCVE AI on March 20, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Tolgee tolgee
CPEs cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*
Vendors & Products Tolgee tolgee
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Tolgee
Tolgee tolgee-platform
Vendors & Products Tolgee
Tolgee tolgee-platform

Thu, 12 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.
Title Tolgee has an XXE Injection in Translation Import
Weaknesses CWE-611
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Tolgee Tolgee Tolgee-platform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:15:44.484Z

Reserved: 2026-03-11T14:47:05.686Z

Link: CVE-2026-32251

cve-icon Vulnrichment

Updated: 2026-03-13T16:15:34.442Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T20:16:05.697

Modified: 2026-03-20T15:57:42.580

Link: CVE-2026-32251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:54:54Z

Weaknesses