Security vulnerability writeups, bug bounty reports, and research.https://simonkoeck.com/https://simonkoeck.com/writeups/tolgee-xxe-translation-import/https://simonkoeck.com/writeups/tolgee-xxe-translation-import/Tolgee's translation import parsers don't disable external entity processing, letting any user with import permissions read arbitrary files from the server and perform SSRF. Confirmed on the cloud platform.Tue, 07 Apr 2026 00:00:00 GMTxxexmlfile-readssrftolgeejava