CVE-2026-3813
Published: 09 March 2026
Summary
CVE-2026-3813 is a medium-severity Injection (CWE-74) vulnerability in Opencc Jflow. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-3813 is an injection vulnerability (CWE-74, CWE-707, CWE-77) in the Calculate function of the file src/main/java/bp/wf/httphandler/WF_CCForm.java within opencc JFlow up to commit 5badc00db382d7cb82dad231e6a866b18e0addfe. The vulnerability enables remote manipulation leading to injection attacks.
The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), meaning it can be exploited over the network with low attack complexity by an attacker possessing low privileges, without requiring user interaction and with unchanged scope. Successful exploitation could result in low-level impacts to confidentiality, integrity, and availability. A public exploit is available and might be used.
No patches or fixed versions are disclosed due to the project's rolling release model, which does not provide specific version information for affected or updated releases. The project was notified early through an issue report but has not responded. Security practitioners should monitor the repository at https://gitee.com/opencc/JFlow/ and the issue at https://gitee.com/opencc/JFlow/issues/IE8R2F, with further details available via VulDB at https://vuldb.com/?ctiid.349779, https://vuldb.com/?id.349779, and https://vuldb.com/?submit.769112.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10316
Vulnerability details
A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF_CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The exploit is publicly available and…
more
might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection (CWE-77) in a Java web app handler directly enables exploitation of public-facing applications (T1190) and arbitrary command/script execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all inputs to the Calculate function, directly blocking the injection payloads described in the CVE.
Enforces access-control decisions on the WF_CCForm.java endpoint so only authorized callers can reach the vulnerable Calculate function.
Enables monitoring of inputs and execution anomalies in the Calculate function to identify ongoing injection attempts.