{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32251", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.686Z", "datePublished": "2026-03-12T19:21:05.130Z", "dateUpdated": "2026-03-13T16:15:44.484Z"}, "containers": {"cna": {"title": "Tolgee has an XXE Injection in Translation Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx"}, {"name": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5", "tags": ["x_refsource_MISC"], "url": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5"}, {"name": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3"}], "affected": [{"vendor": "tolgee", "product": "tolgee-platform", "versions": [{"version": "< 3.166.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:21:05.130Z"}, "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3."}], "source": {"advisory": "GHSA-rcvv-64pq-vxfx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:15:41.015285Z", "id": "CVE-2026-32251", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:15:44.484Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32251", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:15:41.015285Z"}}}], "references": [{"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:15:34.442Z"}}], "cna": {"title": "Tolgee has an XXE Injection in Translation Import", "source": {"advisory": "GHSA-rcvv-64pq-vxfx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "tolgee", "product": "tolgee-platform", "versions": [{"status": "affected", "version": "< 3.166.3"}]}], "references": [{"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx", "name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5", "name": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3", "name": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:21:05.130Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32251", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:15:44.484Z", "dateReserved": "2026-03-11T14:47:05.686Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T19:21:05.130Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3."}, {"lang": "es", "value": "Tolgee es una plataforma de localizaci\u00f3n de c\u00f3digo abierto. Antes de la versi\u00f3n 3.166.3, los analizadores XML utilizados para importar recursos XML de Android (.xml) y archivos .resx no deshabilitaban el procesamiento de entidades externas. Un usuario autenticado que puede importar archivos de traducci\u00f3n a un proyecto puede explotar esto para leer archivos arbitrarios del servidor y realizar solicitudes del lado del servidor a servicios internos. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.166.3."}], "id": "CVE-2026-32251", "lastModified": "2026-03-13T19:54:41.057", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T20:16:05.697", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5"}, {"source": "security-advisories@github.com", "url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.166.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tolgee-platform", "source": "cna", "vendor": "tolgee"}, "product": "tolgee-platform", "vendor": "tolgee"}], "created": "2026-03-13T09:50:06.913903+00:00", "updated": "2026-03-13T09:50:06.914036+00:00", "vendors": ["tolgee", "tolgee$PRODUCT$tolgee-platform"]}