Vulnerability Description
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tolgee | Tolgee | < 3.166.3 |
Related Weaknesses (CWE)
References
- https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b12199241Patch
- https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3Release Notes
- https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfExploitVendor Advisory
- https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfExploitVendor Advisory
FAQ
What is CVE-2026-32251?
CVE-2026-32251 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authentic...
How severe is CVE-2026-32251?
CVE-2026-32251 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32251?
Check the references section above for vendor advisories and patch information. Affected products include: Tolgee Tolgee.