CVE-2025-26865

EPSS 0.4%
Veröffentlicht 10.03.2025 14:01:06
Zuletzt bearbeitet 23.06.2025 18:37:09
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.  

It's a regression between 18.12.17 and 18.12.18.
In case you use something like that, which is not recommended!
For security, only official releases should be used.

In other words, if you use 18.12.17 you are still safe.
The version 18.12.17 is not a affected.
But something between 18.12.17 and 18.12.18 is.

In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Ofbiz Version18.12.17

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.608

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	3.5	0.9	2.5	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

https://ofbiz.apache.org/security.html

Vendor Advisory

https://ofbiz.apache.org/download.html

Product

https://issues.apache.org/jira/browse/OFBIZ-12594

Patch

Issue Tracking

https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2025/03/07/1

Third Party Advisory