Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenCC JFlow Workflow Engine Allows Remote XML Injection Attack
CVE-2026-2536
Summary
A security issue exists in OpenCC JFlow, a workflow management tool, that can be exploited by an attacker to inject malicious XML code remotely. This could potentially lead to unauthorized data access or system compromise. The issue affects versions up to January 2026, and users should update to the latest version to ensure security.
Original title
A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine...
Original description
A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-610
CWE-611
XML External Entity (XXE)
Published: 16 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026