6.5

CVE-2026-2074

Exploit
A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZonelandO2oa Version <= 9.0.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.06% 0.19
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@vuldb.com 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com 5.3 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-610 Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://vuldb.com/?id.344640
Third Party Advisory
VDB Entry
https://vuldb.com/?ctiid.344640
VDB Entry
Permissions Required
https://vuldb.com/?submit.745486
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.745489
Third Party Advisory
VDB Entry
https://github.com/SourByte05/SourByte-Lab/issues/7
Third Party Advisory
Exploit
Issue Tracking
Mitigation