Cyber Resilience

CVE-2026-3813

MediumPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3813 is a medium-severity Injection (CWE-74) vulnerability in Opencc Jflow. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3813 is an injection vulnerability (CWE-74, CWE-707, CWE-77) in the Calculate function of the file src/main/java/bp/wf/httphandler/WF_CCForm.java within opencc JFlow up to commit 5badc00db382d7cb82dad231e6a866b18e0addfe. The vulnerability enables remote manipulation leading to injection attacks.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), meaning it can be exploited over the network with low attack complexity by an attacker possessing low privileges, without requiring user interaction and with unchanged scope. Successful exploitation could result in low-level impacts to confidentiality, integrity, and availability. A public exploit is available and might be used.

No patches or fixed versions are disclosed due to the project's rolling release model, which does not provide specific version information for affected or updated releases. The project was notified early through an issue report but has not responded. Security practitioners should monitor the repository at https://gitee.com/opencc/JFlow/ and the issue at https://gitee.com/opencc/JFlow/issues/IE8R2F, with further details available via VulDB at https://vuldb.com/?ctiid.349779, https://vuldb.com/?id.349779, and https://vuldb.com/?submit.769112.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF_CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The exploit is publicly available and…

more

might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote command injection (CWE-77) in a Java web app handler directly enables exploitation of public-facing applications (T1190) and arbitrary command/script execution (T1059).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1414Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77
CVE-2026-2956Shared CWE-74, CWE-77
CVE-2025-15132Shared CWE-74, CWE-77
CVE-2026-8344Shared CWE-74, CWE-77
CVE-2026-7058Shared CWE-74, CWE-77
CVE-2025-8752Shared CWE-74, CWE-77
CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77

Affected Assets

opencc
jflow
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all inputs to the Calculate function, directly blocking the injection payloads described in the CVE.

prevent

Enforces access-control decisions on the WF_CCForm.java endpoint so only authorized callers can reach the vulnerable Calculate function.

detect

Enables monitoring of inputs and execution anomalies in the Calculate function to identify ongoing injection attempts.

References