Apache OFBiz is affected by a low‑privilege server‑side template injection vulnerability that can lead to remote code execution. The flaw allows attackers who can manipulate content records or templates to inject malicious code into the template engine, which is then executed with the privileges of the running application. The weakness is classified as CWE‑1336, indicating insecure neutralization of special template elements. Users with limited access privileges to the content component can exploit this to run arbitrary code, potentially compromising the entire system.

The issue applies to all Apache OFBiz installations running a version prior to 24.09.06. The vulnerable component is the Content module, which handles data resources and content management for the application. Any site using the default "Ecommerce Customer" security group, which traditionally includes content management rights, falls under the same risk because that group may be granted the necessary privileges to manipulate templates.

The CVSS score for this vulnerability is not publicly published, and EPSS is unavailable, so the exact exploitation probability cannot be quantified. However, the vulnerability is listed as not being in the CISA KEV catalog. Given that it permits code execution from a low‑privilege account and that the template engine processes data supplied by untrusted users, the potential impact is high. The likely attack vector involves accessing the content management interfaces or creating/altering data resources that the template engine processes. No known exploitation state is reported at this time, but the combination of RCE and low privileges makes it a critical threat.