{"id":"CVE-2018-20157","details":"The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.","modified":"2026-04-10T03:55:24.017698Z","published":"2018-12-15T00:29:00.317Z","references":[{"type":"FIX","url":"https://github.com/OpenRefine/OpenRefine/issues/1907"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openrefine/openrefine","events":[{"introduced":"0"},{"last_affected":"b90e413b404e6ca7e2b3351db773fe189c1a2a65"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.1"}]}}],"versions":["2.6-beta.1","2.6-rc.2","2.7","2.7-rc.1","2.7-rc.2","2.8","3.0","3.0-beta","3.0-rc.1","3.1","3.1-beta","v2.6-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20157.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}