CVE-2026-50223

Published: Jun 10, 2026Modified: Jun 12, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.

Affected (1)

Products: Apache: Ofbiz

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ofbiz	Before 24.09.07

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://lists.apache.org/thread/trr2p4zokg54glqlhjnglt4yr7n8t5xd

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2026/06/10/13

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.