Common Weakness Enumeration

CWE-610

Discouraged

Externally Controlled Reference to a Resource in Another Sphere

Abstraction: Class · Status: Draft

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

277 vulnerabilities reference this CWE, most recent first.

CVE-2026-2536 (GCVE-0-2026-2536)

Vulnerability from cvelistv5 – Published: 2026-02-16 05:02 – Updated: 2026-02-23 10:05
VLAI
Title
opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference
Summary
A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - XML External Entity Reference
  • CWE-610 - Externally Controlled Reference
Assigner
References
URL Tags
https://vuldb.com/?id.346124 vdb-entrytechnical-description
https://vuldb.com/?ctiid.346124 signaturepermissions-required
https://vuldb.com/?submit.748807 third-party-advisory
https://vuldb.com/?submit.748808 third-party-advisory
https://gitee.com/opencc/JFlow/issues/IDN7GT exploitissue-tracking
https://gitee.com/opencc/JFlow/ product
Impacted products
Vendor Product Version
opencc JFlow Affected: 20260129
Create a notification for this product.
Credits
MaoQiu (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2536",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T17:05:07.890851Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T17:05:15.429Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Workflow Engine"
          ],
          "product": "JFlow",
          "vendor": "opencc",
          "versions": [
            {
              "status": "affected",
              "version": "20260129"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "MaoQiu (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "Externally Controlled Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T10:05:58.889Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-346124 | opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.346124"
        },
        {
          "name": "VDB-346124 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.346124"
        },
        {
          "name": "Submit #748807 | https://gitee.com/opencc/JFlow JFlow latest version XML External Entity Injection (XXE)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.748807"
        },
        {
          "name": "Submit #748808 | https://gitee.com/opencc/JFlow JFlow latest version XML External Entity Injection (XXE) (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.748808"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://gitee.com/opencc/JFlow/issues/IDN7GT"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://gitee.com/opencc/JFlow/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-15T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-15T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-02-20T07:24:21.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-2536",
    "datePublished": "2026-02-16T05:02:14.100Z",
    "dateReserved": "2026-02-15T09:19:07.190Z",
    "dateUpdated": "2026-02-23T10:05:58.889Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2074 (GCVE-0-2026-2074)

Vulnerability from cvelistv5 – Published: 2026-02-07 04:02 – Updated: 2026-02-23 09:29
VLAI
Title
O2OA HTTP POST Request check xml external entity reference
Summary
A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - XML External Entity Reference
  • CWE-610 - Externally Controlled Reference
Assigner
References
URL Tags
https://vuldb.com/?id.344640 vdb-entry
https://vuldb.com/?ctiid.344640 signaturepermissions-required
https://vuldb.com/?submit.745486 third-party-advisory
https://vuldb.com/?submit.745489 third-party-advisory
https://github.com/SourByte05/SourByte-Lab/issues/7 exploitissue-tracking
Impacted products
Vendor Product Version
n/a O2OA Affected: 9.0
Credits
sourbyte (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2074",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:24:33.129817Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T15:24:44.981Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "HTTP POST Request Handler"
          ],
          "product": "O2OA",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "9.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "sourbyte (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "Externally Controlled Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T09:29:26.009Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-344640 | O2OA HTTP POST Request check xml external entity reference",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.344640"
        },
        {
          "name": "VDB-344640 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.344640"
        },
        {
          "name": "Submit #745486 | \u6d59\u6c5f\u5170\u5fb7\u7eb5\u6a2a\u7f51\u7edc\u6280\u672f\u80a1\u4efd\u6709\u9650\u516c\u53f8 O2OA v6.1.0 \u81f3 v9.0.0 XML\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.745486"
        },
        {
          "name": "Submit #745489 | O2OA\u5f00\u53d1\u5e73\u53f0 O2OA v6.1.0 \u81f3 v9.0.0 XML\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.745489"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/SourByte05/SourByte-Lab/issues/7"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-06T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-06T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-02-08T15:08:13.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "O2OA HTTP POST Request check xml external entity reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-2074",
    "datePublished": "2026-02-07T04:02:06.652Z",
    "dateReserved": "2026-02-06T07:46:08.815Z",
    "dateUpdated": "2026-02-23T09:29:26.009Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1218 (GCVE-0-2026-1218)

Vulnerability from cvelistv5 – Published: 2026-01-20 05:32 – Updated: 2026-02-23 08:52
VLAI
Title
Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference
Summary
A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - XML External Entity Reference
  • CWE-610 - Externally Controlled Reference
Assigner
References
URL Tags
https://vuldb.com/?id.341908 vdb-entrytechnical-description
https://vuldb.com/?ctiid.341908 signaturepermissions-required
https://vuldb.com/?submit.735201 third-party-advisory
https://github.com/dingpotian/cve-vul/blob/main/S… broken-linkexploit
Impacted products
Vendor Product Version
Bjskzy Zhiyou ERP Affected: 11.0
Create a notification for this product.
Credits
dptcc (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1218",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-20T20:21:32.301398Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-20T20:22:43.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "com.artery.richclient.RichClientService"
          ],
          "product": "Zhiyou ERP",
          "vendor": "Bjskzy",
          "versions": [
            {
              "status": "affected",
              "version": "11.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "dptcc (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "Externally Controlled Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T08:52:03.555Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-341908 | Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.341908"
        },
        {
          "name": "VDB-341908 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.341908"
        },
        {
          "name": "Submit #735201 | Bjskzy Enterprise Resource Planning Software 11.0 XML External Entity Reference",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.735201"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://github.com/dingpotian/cve-vul/blob/main/Shikong-Zhiyou-ERP/Shikong-Zhiyou-ERP-XXE-RichClientService-initRCForm.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-19T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-01-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-01-20T08:20:29.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-1218",
    "datePublished": "2026-01-20T05:32:07.224Z",
    "dateReserved": "2026-01-19T23:19:20.859Z",
    "dateUpdated": "2026-02-23T08:52:03.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0522 (GCVE-0-2026-0522)

Vulnerability from cvelistv5 – Published: 2026-04-01 13:11 – Updated: 2026-04-01 13:41
VLAI
Title
Local File Inclusion in the File Upload/Download Process
Summary
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks. This issue affects VertiGIS FM: 10.5.00119 (0d29d428).
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
URL Tags
https://www.redguard.ch/blog/2026/04/01/advisory-… third-party-advisorytechnical-description
https://support.vertigis.com/hc/en-us/articles/31… vendor-advisory
Impacted products
Vendor Product Version
VertiGIS VertiGIS FM Affected: 0 , < 10.11.363 (semver)
Create a notification for this product.
Credits
Benjamin Faller, Redguard AG David Wischnjak, Redguard AG
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0522",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T13:41:03.252558Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T13:41:23.300Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "VertiGIS FM",
          "vendor": "VertiGIS",
          "versions": [
            {
              "lessThan": "10.11.363",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:vertigis:vertigis_fm:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.11.363",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Benjamin Faller, Redguard AG"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "David Wischnjak, Redguard AG"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003eA local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file\u0027s path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application\u0027s ASP.NET architecture, this could potentially lead to remote code execution when the \"web.config\" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003eThis issue affects VertiGIS FM: 10.5.00119 (0d29d428).\u003c/p\u003e"
            }
          ],
          "value": "A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file\u0027s path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application\u0027s ASP.NET architecture, this could potentially lead to remote code execution when the \"web.config\" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.\n\n\n\n\n\n\n\nThis issue affects VertiGIS FM: 10.5.00119 (0d29d428)."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T13:11:13.384Z",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory",
            "technical-description"
          ],
          "url": "https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Local File Inclusion in the File Upload/Download Process",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2026-0522",
    "datePublished": "2026-04-01T13:11:13.384Z",
    "dateReserved": "2025-12-17T08:22:38.979Z",
    "dateUpdated": "2026-04-01T13:41:23.300Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GCVE-1-2026-0027 (CVE-2026-44363)

Vulnerability from gna-1 – Published: 2026-04-29 12:05 – Updated: 2026-05-06 16:03
VLAI
Title
Unsafe remote resource fetching in expansion misp-modules
Summary
An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification.
CWE
  • CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
Impacted products
Vendor Product Version
misp misp-modules Affected: 0 , ≤ 3.0.7 (semver)
Create a notification for this product.
Credits
Bilal Teke David Cruciani

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "misp-modules",
          "vendor": "misp",
          "versions": [
            {
              "lessThanOrEqual": "3.0.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bilal Teke"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "David Cruciani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The \u003ccode\u003ehtml_to_markdown\u003c/code\u003e module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the \u003ccode\u003eqrcode\u003c/code\u003e module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification."
            }
          ],
          "value": "An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/MISP/misp-modules/commit/52cda9caa003cafe87e14ae3721db5e16f6f111a"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unsafe remote resource fetching in expansion misp-modules",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "cveId": "CVE-2026-44363",
    "datePublished": "2026-04-29T12:05:00.000Z",
    "dateUpdated": "2026-05-06T16:03:40.556833Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "GCVE-1-2026-0027",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-04-29T12:05:45.275949Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-05-06T16:03:40.556833Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-48963 (GCVE-0-2025-48963)

Vulnerability from cvelistv5 – Published: 2025-08-28 09:49 – Updated: 2026-02-26 17:47
VLAI
Summary
Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40296.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Acronis Acronis Cyber Protect Cloud Agent Affected: unspecified , < 40296 (semver)
Create a notification for this product.
Credits
@vultza (https://hackerone.com/vultza)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48963",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-29T03:55:22.901084Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:47:54.285Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux",
            "macOS",
            "Windows"
          ],
          "product": "Acronis Cyber Protect Cloud Agent",
          "vendor": "Acronis",
          "versions": [
            {
              "lessThan": "40296",
              "status": "affected",
              "version": "unspecified",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "@vultza (https://hackerone.com/vultza)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40296."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "CWE-610",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T09:49:57.936Z",
        "orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
        "shortName": "Acronis"
      },
      "references": [
        {
          "name": "SEC-8568",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security-advisory.acronis.com/advisories/SEC-8568"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
    "assignerShortName": "Acronis",
    "cveId": "CVE-2025-48963",
    "datePublished": "2025-08-28T09:49:57.936Z",
    "dateReserved": "2025-05-29T00:22:59.557Z",
    "dateUpdated": "2026-02-26T17:47:54.285Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22144 (GCVE-0-2025-22144)

Vulnerability from cvelistv5 – Published: 2025-01-13 19:49 – Updated: 2025-01-13 20:21
VLAI
Title
Account Takeover in NamelessMC
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
Impacted products
Vendor Product Version
NamelessMC Nameless Affected: <= 2.1.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22144",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-13T20:20:59.230880Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-13T20:21:06.877Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nameless",
          "vendor": "NamelessMC",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/\u0026c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-13T19:49:03.887Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p"
        },
        {
          "name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3"
        }
      ],
      "source": {
        "advisory": "GHSA-p883-7496-x35p",
        "discovery": "UNKNOWN"
      },
      "title": "Account Takeover in NamelessMC"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-22144",
    "datePublished": "2025-01-13T19:49:03.887Z",
    "dateReserved": "2024-12-30T03:00:33.653Z",
    "dateUpdated": "2025-01-13T20:21:06.877Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-15251 (GCVE-0-2025-15251)

Vulnerability from cvelistv5 – Published: 2025-12-30 14:02 – Updated: 2025-12-30 14:29
VLAI
Title
beecue FastBee SIP Message ReqAbstractHandler.java getRootElement xml external entity reference
Summary
A vulnerability was detected in beecue FastBee up to 2.1. Impacted is the function getRootElement of the file springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java of the component SIP Message Handler. The manipulation results in xml external entity reference. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The project owner replied to the issue report: "Okay, we'll handle it as soon as possible."
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - XML External Entity Reference
  • CWE-610 - Externally Controlled Reference
Assigner
References
URL Tags
https://vuldb.com/?id.338641 vdb-entrytechnical-description
https://vuldb.com/?ctiid.338641 signaturepermissions-required
https://gitee.com/beecue/fastbee/issues/ID7HNZ issue-tracking
https://gitee.com/beecue/fastbee/issues/ID7HNZ#no… issue-tracking
Impacted products
Vendor Product Version
beecue FastBee Affected: 2.0
Affected: 2.1
Create a notification for this product.
Credits
VulDB Gitee Analyzer
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15251",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-30T14:29:14.007553Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-30T14:29:30.146Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "SIP Message Handler"
          ],
          "product": "FastBee",
          "vendor": "beecue",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            },
            {
              "status": "affected",
              "version": "2.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "tool",
          "value": "VulDB Gitee Analyzer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in beecue FastBee up to 2.1. Impacted is the function getRootElement of the file springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java of the component SIP Message Handler. The manipulation results in xml external entity reference. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The project owner replied to the issue report: \"Okay, we\u0027ll handle it as soon as possible.\""
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.1,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "Externally Controlled Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T14:02:10.910Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-338641 | beecue FastBee SIP Message ReqAbstractHandler.java getRootElement xml external entity reference",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.338641"
        },
        {
          "name": "VDB-338641 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.338641"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitee.com/beecue/fastbee/issues/ID7HNZ"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitee.com/beecue/fastbee/issues/ID7HNZ#note_47777408_link"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-29T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-12-29T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-12-29T10:13:37.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "beecue FastBee SIP Message ReqAbstractHandler.java getRootElement xml external entity reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-15251",
    "datePublished": "2025-12-30T14:02:10.910Z",
    "dateReserved": "2025-12-29T09:08:25.743Z",
    "dateUpdated": "2025-12-30T14:29:30.146Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13209 (GCVE-0-2025-13209)

Vulnerability from cvelistv5 – Published: 2025-11-15 18:32 – Updated: 2025-11-17 15:58
VLAI
Title
bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference
Summary
A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - XML External Entity Reference
  • CWE-610 - Externally Controlled Reference
Assigner
References
URL Tags
https://vuldb.com/?id.332528 vdb-entrytechnical-description
https://vuldb.com/?ctiid.332528 signaturepermissions-required
https://vuldb.com/?submit.685626 third-party-advisory
https://github.com/bkglfpp/CVE-md/blob/main/%E4%B… exploit
Impacted products
Vendor Product Version
bestfeng oa_git_free Affected: 9.0
Affected: 9.1
Affected: 9.2
Affected: 9.3
Affected: 9.4
Affected: 9.5
Create a notification for this product.
Credits
youran (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13209",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-17T15:58:27.666432Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-17T15:58:53.721Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "oa_git_free",
          "vendor": "bestfeng",
          "versions": [
            {
              "status": "affected",
              "version": "9.0"
            },
            {
              "status": "affected",
              "version": "9.1"
            },
            {
              "status": "affected",
              "version": "9.2"
            },
            {
              "status": "affected",
              "version": "9.3"
            },
            {
              "status": "affected",
              "version": "9.4"
            },
            {
              "status": "affected",
              "version": "9.5"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "youran (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in bestfeng oa_git_free up to 9.5 gefunden. Hierbei geht es um die Funktion updateWriteBack der Datei yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. Dank der Manipulation des Arguments writeProp mit unbekannten Daten kann eine xml external entity reference-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "Externally Controlled Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-15T18:32:06.823Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-332528 | bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.332528"
        },
        {
          "name": "VDB-332528 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.332528"
        },
        {
          "name": "Submit #685626 | https://gitee.com/bestfeng/oa_git_free oa_git_free 8.0 XML external entity injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.685626"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/bkglfpp/CVE-md/blob/main/%E4%BA%91%E7%BD%91%E5%8D%8F%E5%90%8C%E5%8A%9E%E5%85%AC%E7%B3%BB%E7%BB%9F/XXE.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-11-14T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-11-14T20:06:01.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-13209",
    "datePublished": "2025-11-15T18:32:06.823Z",
    "dateReserved": "2025-11-14T19:00:50.250Z",
    "dateUpdated": "2025-11-17T15:58:53.721Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11341 (GCVE-0-2025-11341)

Vulnerability from cvelistv5 – Published: 2025-10-06 17:02 – Updated: 2025-10-06 19:58
VLAI
Title
Jinher OA type xml external entity reference
Summary
A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - XML External Entity Reference
  • CWE-610 - Externally Controlled Reference
Assigner
References
URL Tags
https://vuldb.com/?id.327226 vdb-entry
https://vuldb.com/?ctiid.327226 signaturepermissions-required
https://vuldb.com/?submit.664613 third-party-advisory
https://github.com/rookie1006/CVE/issues/2 exploitissue-tracking
Impacted products
Vendor Product Version
Jinher OA Affected: 2.0
Create a notification for this product.
Credits
rookie1129 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11341",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-06T19:57:58.223505Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-06T19:58:06.825Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OA",
          "vendor": "Jinher",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "rookie1129 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo\u0026style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited."
        },
        {
          "lang": "de",
          "value": "In Jinher OA up to 2.0 wurde eine Schwachstelle gefunden. Hierbei betrifft es unbekannten Programmcode der Datei /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo\u0026style=1. Durch Manipulation mit unbekannten Daten kann eine xml external entity reference-Schwachstelle ausgenutzt werden. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "Externally Controlled Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-06T17:02:05.698Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-327226 | Jinher OA type xml external entity reference",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.327226"
        },
        {
          "name": "VDB-327226 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.327226"
        },
        {
          "name": "Submit #664613 | Jinher OA v2.0 XML External Entity Reference",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.664613"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/rookie1006/CVE/issues/2"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-06T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-10-06T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-10-06T07:42:20.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Jinher OA type xml external entity reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-11341",
    "datePublished": "2025-10-06T17:02:05.698Z",
    "dateReserved": "2025-10-06T05:37:17.399Z",
    "dateUpdated": "2025-10-06T19:58:06.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

No mitigation information available for this CWE.

CAPEC-219: XML Routing Detour Attacks

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.