CVE-2026-2252 PUBLISHED

XML External Entity (XXE) vulnerability resulting in Server-Side Request Forgery (SSRF)

Assigner: Xerox
Reserved: 09.02.2026 Published: 27.02.2026 Updated: 27.02.2026

An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references.

This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.

Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Xerox
Product	FreeFlow Core
Versions	Default: unaffected affected from 0 to 8.0.7 (incl.)

References

https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-026-005-for-Xerox-Freeflow-Core.pdf

Problem Types

CWE-611 Improper Restriction of XML External Entity Reference CWE
CWE-918 Server-Side Request Forgery (SSRF) CWE

Impacts

CAPEC-201 Serialized Data External Linking
CAPEC-664 Server Side Request Forgery