Description
A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF_CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Apply Mitigation
AI Analysis

Impact

The vulnerability is located in the Calculate function of the WF_CCForm.java component in the opencc JFlow project. An attacker can manipulate input to this function, enabling arbitrary payload injection. The documented CWEs indicate that the flaw permits code injection and command injection, suggesting that injected content may be executed or processed by the system. The nature of the flaw means that malicious input could alter execution flow or inject harmful commands, potentially compromising application logic or data integrity.

Affected Systems

All publicly available releases of opencc JFlow up to the commit 5badc00db382d7cb82dad231e6a866b18e0addfe contain the affected Calculate function. Because the project follows a rolling release model, specific version numbers are not publicly disclosed; any instance running before the fix commit remains vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score of less than 1% reflects a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The stated attack vector is remote, and the exploit is publicly available, implying that exposure over web interfaces could be sufficient for an attacker to manipulate inputs. Without an official patch, the risk endures until a fixed release or mitigation is applied.

Generated by OpenCVE AI on April 17, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the opencc JFlow repository for any updates that address the injection flaw and install the latest confirmed fix when available.
  • Implement strict input validation and parameter sanitization for all data processed by the Calculate function to neutralize malicious payloads before execution.
  • Restrict access to the WF_CCForm endpoint using network segmentation and role‑based access controls, and apply output encoding or escaping to mitigate injection risks.

Generated by OpenCVE AI on April 17, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
CPEs cpe:2.3:a:opencc:jflow:-:*:*:*:*:*:*:*

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Opencc
Opencc jflow
Vendors & Products Opencc
Opencc jflow

Mon, 09 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF_CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Title opencc JFlow WF_CCForm.java Calculate injection
Weaknesses CWE-707
CWE-74
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Opencc Jflow
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-10T16:01:34.157Z

Reserved: 2026-03-08T16:31:04.148Z

Link: CVE-2026-3813

cve-icon Vulnrichment

Updated: 2026-03-10T16:01:31.076Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T10:16:03.110

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses