6.5
CVE-2026-31380
- EPSS 0.49%
- Veröffentlicht 19.05.2026 09:24:39
- Zuletzt bearbeitet 19.05.2026 19:16:47
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.38 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
https://lists.apache.org/thread/v2brvq1tf4q491obkxv8p7fc5qfshc08
http://www.openwall.com/lists/oss-security/2026/05/19/19