Xerox Xerox

  1. Vendors
  2. Xerox

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Xerox product.

RSS Feeds for Xerox security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Xerox products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Xerox Sorted by Most Security Vulnerabilities since 2018

Xerox Freeflow Core8 vulnerabilities

Xerox Xmpie Ustore2 vulnerabilities

Xerox Altalink Firmware1 vulnerability

Xerox Freeflow Print Server1 vulnerability

Xerox Versalink Firmware1 vulnerability

Xerox Workcentre 3550 Firmware1 vulnerability

Xerox Workcentre Firmware1 vulnerability

Xerox Firmware1 vulnerability

By the Year

In 2026 there have been 3 vulnerabilities in Xerox with an average score of 7.5 out of ten. Last year, in 2025 Xerox had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Xerox in 2026 could surpass last years number. Interestingly, the average vulnerability score and the number of vulnerabilities for 2026 and last year was the same.




Year Vulnerabilities Average Score
2026 3 7.53
2025 4 7.53
2024 5 8.88
2023 1 6.50
2022 2 6.15

It may take a day or so for new Xerox vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Xerox Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-2252 Feb 27, 2026
XXESSRF in Xerox FreeFlow Core (<=8.0.7) via crafted XML An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.  Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on -  https://www.support.xerox.com/en-us/product/core/downloads
Freeflow Core
CVE-2026-2251 Feb 27, 2026
Xerox FreeFlow Core v8.0.7 Path Traversal RCE Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloads
Freeflow Core
CVE-2026-1769 Feb 06, 2026
Xerox CentreWare Stored XSS (v<7.0.6) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6.  Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com
CVE-2025-8356 Aug 08, 2025
Xerox FreeFlow Core 8.0.4 Path Traversal RCE In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.
Freeflow Core
CVE-2025-8355 Aug 08, 2025
Xerox FreeFlow Core 8.0.4 SSRF via XXE in XML Parsing In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).
Freeflow Core
CVE-2024-12511 Feb 03, 2025
CVE-2024-12511: Printer SMB/FTP Misconfig via AB Access With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access.
CVE-2024-55925 Jan 23, 2025
Xerox Workplace Suite Host Header Injection on Restricted API In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets improper host validation, potentially exposing sensitive API endpoints.
CVE-2024-6333 Oct 17, 2024
Authenticated RCE in Altalink, Versalink & WorkCentre Authenticated Remote Code Execution in Altalink, Versalink & WorkCentre Products.
Altalink Firmware
Versalink Firmware
Workcentre Firmware
And others...
CVE-2024-47559 Oct 07, 2024
Authenticated RCE via Path Traversal (CVE-2024-47559) Authenticated RCE via Path Traversal
Freeflow Core
CVE-2024-47558 Oct 07, 2024
Authenticated RCE via Path Traversal in Unknown Product Authenticated RCE via Path Traversal
Freeflow Core
CVE-2024-47557 Oct 07, 2024
Pre-Auth RCE via Path Traversal Vulnerability Pre-Auth RCE via Path Traversal
Freeflow Core
CVE-2024-47556 Oct 07, 2024
Pre-Auth RCE via Path Traversal Pre-Auth RCE via Path Traversal
Freeflow Core
CVE-2022-45897 Jan 31, 2023
Auth user can view SMB settings & cleartext creds on Xerox WorkCentre 3550 On Xerox WorkCentre 3550 25.003.03.000 devices, an authenticated attacker can view the SMB server settings and can obtain the stored cleartext credentials associated with those settings.
Workcentre 3550 Firmware
CVE-2022-23321 Feb 10, 2022
A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0. A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0.
Xmpie Ustore
CVE-2022-23320 Feb 07, 2022
XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries. Since the application ships with default administrative credentials, an attacker may authenticate into the application and exfiltrate sensitive information from the database.
Xmpie Ustore
CVE-2012-0773 Mar 28, 2012
The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228 on Windows, Mac OS X, and Linux; Flash Player before 10.3.183.18 and 11.x before 11.2.202.223 on Solaris; Flash Player before 11.1.111.8 on Android 2.x and 3.x; and AIR before 3.2.0.2070 The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228 on Windows, Mac OS X, and Linux; Flash Player before 10.3.183.18 and 11.x before 11.2.202.223 on Solaris; Flash Player before 11.1.111.8 on Android 2.x and 3.x; and AIR before 3.2.0.2070 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
Freeflow Print Server
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.