critical / Tolgee /
XXE Injection via Translation File Import in Tolgee
Tolgee's translation import parsers don't disable external entity processing, letting any user with import permissions read arbitrary files from the server and perform SSRF. Confirmed on the cloud platform.