Published:2026/03/19 Last Updated:2026/03/19
JVNVU#95093977
Multiple vulnerabilities in Xerox FreeFlow Core (XRX26-005)
Overview
Xerox FreeFlow Core contains multiple vulnerabilities.
Products Affected
- Xerox FreeFlow Core versions prior to 8.1.0
On March 17th, 2026, they announced that their released versions (7.0.0 to 7.0.11) are also affected to XRX26-005.
Description
Xerox FreeFlow Core contains multiple vulnerabilities listed below.
- Path traversal (CWE-22)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
- CVE-2026-2251
- XML external entity reference (XXE) (CWE-611)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 7.5
- CVE-2026-2252
Impact
- A crafted input may store an arbitrary file to an unexpected place in the affected product. This may lead to arbitrary code execution (CVE-2026-2251)
- A crafted input may cause the affected product to initiate sending a HTTP request to a remote resource (CVE-2026-2252)
Solution
Update the Software
Xerox Corporation provides the fixed version 8.1.0.
Apply the workaround
On March 17th, 2026, FUJIFILM Business Innovation announced that their released versions are also affected to XRX26-005, and are preparing the updates.
Until the updates are available, they recommends to the customers to apply the workaround.
For details, refer to the information provided by FUJIFILM Business Innovation.
Vendor Status
| Vendor | Link |
| FUJIFILM Business Innovation Corp. | March 17, 2026 Notification about the vulnerability in Xerox FreeFlow Core |
| Xerox Corporation | Security Bulletin XRX26-005 for Xerox FreeFlow Core |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
FUJIFILM Business Innovation Corp. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.