CVE-2026-32251 is an XML External Entity (XXE) vulnerability classified under CWE-611 affecting tolgee-platform, an open-source localization platform. The vulnerability exists because the XML parsers used to import Android XML resource files (.xml) and .resx files do not disable external entity processing prior to version 3.166.3. This improper restriction allows an authenticated user who can upload translation files to craft malicious XML payloads containing external entity references. When parsed, these payloads enable the attacker to read arbitrary files from the server filesystem and perform server-side request forgery (SSRF) to internal services that are otherwise inaccessible externally. The vulnerability does not require elevated privileges or user interaction beyond authentication and file import capability. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, with no impact on integrity or availability. This flaw can lead to significant data leakage and internal network mapping, which can be leveraged for further attacks. The vulnerability was publicly disclosed on March 12, 2026, and fixed in tolgee-platform version 3.166.3. No public exploits have been reported yet, but the critical severity score underscores the urgency for remediation.

The impact of CVE-2026-32251 is substantial for organizations using tolgee-platform versions prior to 3.166.3. Exploitation allows attackers to read sensitive files on the server, potentially exposing configuration files, credentials, or other confidential data. Additionally, the ability to make server-side requests to internal services can facilitate reconnaissance of internal networks, bypassing perimeter defenses. This can lead to further compromise, lateral movement, or data exfiltration. Since the vulnerability requires only authenticated access to import translation files, insider threats or compromised user accounts pose a significant risk. Organizations relying on tolgee-platform for localization, especially those handling sensitive or proprietary content, face confidentiality breaches and potential operational disruptions. The vulnerability’s critical severity and network attack vector mean it can be exploited remotely and easily, increasing the risk of widespread impact if not addressed promptly.

To mitigate CVE-2026-32251, organizations should immediately upgrade tolgee-platform to version 3.166.3 or later, where the XML parsers have been properly configured to disable external entity processing. Until the upgrade is applied, restrict the ability to import translation files to only highly trusted and verified users to minimize the attack surface. Implement strict input validation and scanning of uploaded XML files to detect and block malicious external entity references. Employ network segmentation and firewall rules to limit tolgee-platform server access to internal services, reducing the impact of SSRF attempts. Monitor logs for unusual file access patterns or unexpected outbound requests originating from the tolgee-platform server. Conduct regular security audits of user permissions and review authentication mechanisms to prevent unauthorized access. Finally, educate developers and administrators about the risks of XXE vulnerabilities and secure XML parsing best practices.