Freeflow Core
CVE-2026-2252
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references.
This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.
Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads
AnalysisAI
Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. A patch is currently unavailable, though Xerox recommends upgrading to version 8.1.0.
Technical ContextAI
Classified as CWE-611 (Improper Restriction of XML External Entity Reference). Affects Freeflow Core. An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references.
This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.
Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Freeflow Core
View allPath traversal vulnerability in Xerox FreeFlow Core allows attackers to access files outside restricted directories, pot
Pre-Auth RCE via Path Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no auth
Pre-Auth RCE via Path Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no auth
Authenticated RCE via Path Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at
Authenticated RCE via Path Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized file
In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. Rated high s
Share
External POC / Exploit Code
Leaving vuln.today