CVE-2026-32251 is an XML External Entity (XXE) vulnerability classified under CWE-611 affecting the tolgee-platform, an open-source localization platform. The vulnerability exists because the XML parsers used to import Android XML resource files (.xml) and .resx files do not disable external entity processing prior to version 3.166.3. This improper restriction allows an authenticated user who can upload translation files to craft malicious XML payloads containing external entity references. When processed by the vulnerable XML parser, these payloads enable the attacker to read arbitrary files on the server filesystem and perform server-side request forgery (SSRF) to internal services. The flaw does not require elevated privileges beyond authentication and does not require user interaction, making exploitation straightforward once access is gained. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical impact on confidentiality and integrity. The vulnerability was publicly disclosed on March 12, 2026, and fixed in version 3.166.3 of tolgee-platform. No known exploits have been reported in the wild yet, but the potential for data exfiltration and internal network reconnaissance is significant. Organizations using tolgee-platform for localization, especially those importing Android or .resx translation files, must upgrade to the patched version and audit user permissions for importing translation files to mitigate risk.

The impact of CVE-2026-32251 is substantial for organizations using tolgee-platform versions prior to 3.166.3. Exploitation allows an authenticated user to read arbitrary files on the server, potentially exposing sensitive configuration files, credentials, or proprietary data. Additionally, the ability to make server-side requests to internal services can facilitate further network reconnaissance, lateral movement, or exploitation of internal-only services not exposed externally. This can lead to significant confidentiality breaches and compromise of internal infrastructure. Since tolgee-platform is used for localization management, organizations with sensitive intellectual property or regulated data in their translation files or internal systems are at heightened risk. The vulnerability's ease of exploitation—requiring only authenticated access and no user interaction—means insider threats or compromised user accounts can quickly lead to severe data breaches. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the criticality of patching. Failure to remediate could result in data leakage, disruption of localization workflows, and potential compliance violations.

To mitigate CVE-2026-32251, organizations should immediately upgrade tolgee-platform to version 3.166.3 or later, where the XML parser properly disables external entity processing. Until the upgrade is applied, restrict the ability to import translation files to a minimal set of trusted, authenticated users to reduce the attack surface. Implement strict access controls and monitor import activities for suspicious or anomalous file uploads. Employ network segmentation and firewall rules to limit tolgee-platform server access to internal services, reducing the impact of SSRF attacks. Additionally, conduct regular audits of server file permissions and logs to detect unauthorized file access attempts. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAFs) with rules targeting XXE payloads to provide an additional layer of defense. Finally, educate developers and administrators about secure XML parsing practices and the risks of enabling external entity processing.