CVE-2026-2251 CRITICAL

CVE-2026-2251: Path Traversal leading to Remote Code Execution (RCE)

Vendor Xerox
Product FreeFlow Core
Weakness CWE-22 · Path traversal
Published February 27, 2026
Last update March 3, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloads

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 3, 2026 Record updated