CVE-2025-54466

Published: Aug 15, 2025Modified: Nov 4, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

Affected (1)

Products: Apache: Ofbiz

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ofbiz	Before 24.09.02

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://issues.apache.org/jira/browse/OFBIZ-13276

Source: security@apache.org

Patch

https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915

Source: security@apache.org

Mailing ListThird Party Advisory

https://ofbiz.apache.org/download.html

Source: security@apache.org

Product

https://ofbiz.apache.org/release-notes-24.09.02.html

Source: security@apache.org

Release Notes

https://ofbiz.apache.org/security.html

Source: security@apache.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/08/05/1

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.