XXE in Tolgee Tolgee-platform

CVE-2026-32251

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation fi…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.000 (14.8th percentile) — read the EPSS interpretation.

Affected products

Tolgee Tolgee-platform — versions < 3.166.3

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx (x_refsource_CONFIRM)
https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5 (x_refsource_MISC)
https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3 (x_refsource_MISC)