A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://github.com/SourByte05/SourByte-Lab/issues/7 | Exploit Issue Tracking Mitigation Third Party Advisory |
| https://vuldb.com/?ctiid.344640 | Permissions Required VDB Entry |
| https://vuldb.com/?id.344640 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.745486 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.745489 | Third Party Advisory VDB Entry |
Configurations
History
17 Feb 2026, 19:07
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:zoneland:o2oa:*:*:*:*:*:*:*:* | |
| References | () https://github.com/SourByte05/SourByte-Lab/issues/7 - Exploit, Issue Tracking, Mitigation, Third Party Advisory | |
| References | () https://vuldb.com/?ctiid.344640 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.344640 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.745486 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.745489 - Third Party Advisory, VDB Entry | |
| First Time |
Zoneland o2oa
Zoneland |
07 Feb 2026, 05:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-07 05:16
Updated : 2026-02-17 19:07
NVD link : CVE-2026-2074
Mitre link : CVE-2026-2074
CVE.ORG link : CVE-2026-2074
JSON object : View
Products Affected
zoneland
- o2oa