CVE-2026-2252 HIGH

CVE-2026-2252: XML External Entity (XXE) vulnerability resulting in Server-Side Request Forgery (SSRF)

Vendor Xerox
Product FreeFlow Core
Weakness CWE-611 · XXE
Published February 27, 2026
Last update March 6, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.  Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on -  https://www.support.xerox.com/en-us/product/core/downloads

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 6, 2026 Record updated