CVE-2026-24343

EPSS 0.03%
Veröffentlicht 10.02.2026 09:28:52
Zuletzt bearbeitet 11.02.2026 17:56:14
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions

Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.

This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.

Users are recommended to upgrade to version 1.8.0, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Hertzbeat Version >= 1.7.1 < 1.8.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.072

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

https://lists.apache.org/thread/b2k3jqwffrbo2sy6bl4n0f68kp8bfo1n

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/02/09/4

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-24343

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24343

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24343

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24343