CVE-2026-32251

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5
https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx

Configurations

No configuration.

History

13 Mar 2026, 19:54

Type	Values Removed	Values Added
References	~~() https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx -~~	() https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx -
Summary		(es) Tolgee es una plataforma de localización de código abierto. Antes de la versión 3.166.3, los analizadores XML utilizados para importar recursos XML de Android (.xml) y archivos .resx no deshabilitaban el procesamiento de entidades externas. Un usuario autenticado que puede importar archivos de traducción a un proyecto puede explotar esto para leer archivos arbitrarios del servidor y realizar solicitudes del lado del servidor a servicios internos. Esta vulnerabilidad está corregida en la versión 3.166.3.

12 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 20:16

Updated : 2026-03-13 19:54

NVD link : CVE-2026-32251

Mitre link : CVE-2026-32251

CVE.ORG link : CVE-2026-32251

JSON object : View

Products Affected

No product.

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2026-32251", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-12T20:16:05.697", "references": [{"url": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5", "source": "security-advisories@github.com"}, {"url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3", "source": "security-advisories@github.com"}, {"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx", "source": "security-advisories@github.com"}, {"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3."}, {"lang": "es", "value": "Tolgee es una plataforma de localizaci\u00f3n de c\u00f3digo abierto. Antes de la versi\u00f3n 3.166.3, los analizadores XML utilizados para importar recursos XML de Android (.xml) y archivos .resx no deshabilitaban el procesamiento de entidades externas. Un usuario autenticado que puede importar archivos de traducci\u00f3n a un proyecto puede explotar esto para leer archivos arbitrarios del servidor y realizar solicitudes del lado del servidor a servicios internos. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.166.3."}], "lastModified": "2026-03-13T19:54:41.057", "sourceIdentifier": "security-advisories@github.com"}