FreeCol 0.11.6 and subsequent development versions up to 2019-12-26 are subject to an XML External Entity parsing bug, due to use of a vulnerable Java library, as detailed in CVE-2018-1000825. Older, unsupported versions since at least 0.10.0 may also be affected.

According to the CVE the bug can lead to disclosure of confidential data, denial of service, SSRF, or port scanning, albeit with limited attacker control.

Exploiting the bug requires convincing a player to load a specially crafted FreeCol save game, either directly or by joining a hostile FreeCol server.

The FreeCol team are unaware of any actual cases of this bug being exploited. It is fixed in the nightly releases from 2019-12-27 onward.