CVE-2026-2251 PUBLISHED

Path Traversal leading to Remote Code Execution (RCE)

Assigner: Xerox
Reserved: 09.02.2026 Published: 27.02.2026 Updated: 27.02.2026

Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.

Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads

https://www.support.xerox.com/en-us/product/core/downloads

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Xerox
Product	FreeFlow Core
Versions	Default: unaffected affected from 0 to 8.0.7 (incl.)

References

https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-026-005-for-Xerox-Freeflow-Core.pdf

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

Impacts

CAPEC-126 Path Traversal
CAPEC-253 Remote Code Inclusion