CVE-2026-32251

UNKNOWN 0.0

Tolgee has an XXE Injection in Translation Import

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.

CWE	CWE-611
Vendor	tolgee
Product	tolgee-platform
Published	Mar 12, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for tolgee tolgee-platform

Be the first to know when new unknown vulnerabilities affecting tolgee tolgee-platform are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

tolgee / tolgee-platform

< 3.166.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx github.com: https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5 github.com: https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3