Published:2026/03/19 Last Updated:2026/04/08
JVNVU#95093977
Multiple vulnerabilities in Xerox FreeFlow Core (XRX26-005)
Overview
Xerox FreeFlow Core contains multiple vulnerabilities.
Products Affected
- Xerox FreeFlow Core versions prior to 8.1.0
On March 17th, 2026, they announced that their released versions (7.0.0 to 7.0.11) are also affected to XRX26-005.
Description
Xerox FreeFlow Core contains multiple vulnerabilities listed below.
- Path traversal (CWE-22)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
- CVE-2026-2251
- XML external entity reference (XXE) (CWE-611)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 7.5
- CVE-2026-2252
Impact
- A crafted input may store an arbitrary file to an unexpected place in the affected product. This may lead to arbitrary code execution (CVE-2026-2251)
- A crafted input may cause the affected product to initiate sending a HTTP request to a remote resource (CVE-2026-2252)
Solution
Update the Software
Update the software to Xerox FreeFlow Core 8.1.0 which contains the fixes for these vulnerabilities.
Apply the workaround
It is recommended that users should apply workaround until the latest update is applied.
For details, refer to the information provided by FUJIFILM Business Innovation.
Vendor Status
| Vendor | Link |
| FUJIFILM Business Innovation Corp. | Notification about the vulnerability (CVE-2026-2251/2252) in Xerox FreeFlow Core |
| Xerox Corporation | Security Bulletin XRX26-005 for Xerox FreeFlow Core |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
FUJIFILM Business Innovation Corp. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Update History
- 2026/04/08
- Information under the section [Solution] and [Vendor Status] was updated