JVNDB-2026-007973

Multiple vulnerabilities in Xerox FreeFlow Core (XRX26-005)

Xerox FreeFlow Core contains multiple vulnerabilities listed below.

• Path traversal (CWE-22) - CVE-2026-2251
• XML external entity reference (XXE) (CWE-611) - CVE-2026-2252

FUJIFILM Business Innovation Corp. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Xerox

• Xerox FreeFlow Core versions prior to 8.1.0

FUJIFILM Business Innovation provides the localized versions of Xerox FreeFlow Core to the customers.
On March 17th, 2026, they announced that their released versions (7.0.0 to 7.0.11) are also affected to XRX26-005.

• A crafted input may store an arbitrary file to an unexpected place in the affected product. This may lead to arbitrary code execution (CVE-2026-2251)
• A crafted input may cause the affected product to initiate sending a HTTP request to a remote resource (CVE-2026-2252)

[Update the Software]
Xerox Corporation provides the fixed version 8.1.0.

[Apply the workaround]
On March 17th, 2026, FUJIFILM Business Innovation announced that their released versions are also affected to XRX26-005, and are preparing the updates.
Until the updates are available, they recommends to the customers to apply the workaround.
For details, refer to the information provided by FUJIFILM Business Innovation.

Xerox

• Xerox Corporation : Security Bulletin XRX26-005 for Xerox FreeFlow Core

FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)

• FUJIFILM Business Innovation Corp. : March 17, 2026 Notification about the vulnerability in Xerox FreeFlow Core

1. Path Traversal(CWE-22) [Other]
2. Improper Restriction of XML External Entity Reference(CWE-611) [Other]

1. CVE-2026-2251
2. CVE-2026-2252

1. JVN : JVNVU#95093977

• [2026/03/23]
    Web page was published