What is the CVSS score of CVE-2026-2252?

CVE-2026-2252 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Freeflow Core are affected by CVE-2026-2252?

Xerox FreeFlow Core versions up to 8.0.7 contain a critical vulnerability allowing attackers to perform server-side request forgery attacks through malicious XML input, potentially enabling…

Freeflow Core CVE-2026-2252

HIGH

Improper Restriction of XML External Entity Reference (CWE-611)

2026-02-27 10b61619-3869-496c-8a1e-f291b0e71e3f

SSRF XXE Freeflow Core

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 27, 2026 - 09:16 nvd

HIGH 7.5

DescriptionNVD

An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references.

This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.

Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads

AnalysisAI

Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. …

RemediationAI

Within 24 hours: Identify all instances of Xerox FreeFlow Core in production and their version numbers; implement network segmentation to restrict outbound connections from affected systems. Within 7 days: Disable XML external entity processing if the feature is not business-critical; deploy WAF rules to block XXE payloads in XML input; establish enhanced monitoring for suspicious outbound connections. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-2252 vulnerability details – vuln.today

Back

Freeflow Core CVE-2026-2252

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code