Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz contains a combination of path traversal, stored cross‑site scripting, and code injection weaknesses in the catalog manager. An attacker who can control upload filenames can move outside the intended storage directory, causing an arbitrary overwriting or creation of files, including web‑accessible scripts. Through stored XSS the attacker can hijack sessions or deliver malicious content, while code injection permits execution of arbitrary code, effectively enabling remote code execution.

Affected Systems

Apache OFBiz versions earlier than 24.09.06.

Risk and Exploitability

The vulnerability can result in RCE, with a CVSS score of 6.1 indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation, and it is not listed in CISA KEV. The combination of path traversal and code injection gives attackers a clear path once the upload interface is reachable; while the attack may require authenticated access to the catalog manager, it can be inferred that it is exploitable via normal user interaction.

Generated by OpenCVE AI on May 19, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 to remove the vulnerable code path.
  • If an upgrade is not immediately possible, restrict the catalog manager upload endpoint to privileged users only and enforce strict filename validation to prevent directory traversal.
  • Deploy a web application firewall or runtime monitoring to block suspicious path traversal and code injection patterns.

Generated by OpenCVE AI on May 19, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager
Weaknesses CWE-22
CWE-79
CWE-94
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T13:27:41.749Z

Reserved: 2026-03-09T08:40:25.901Z

Link: CVE-2026-31379

cve-icon Vulnrichment

Updated: 2026-05-19T13:27:36.818Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T10:16:23.253

Modified: 2026-05-19T15:27:52.353

Link: CVE-2026-31379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T11:30:03Z

Weaknesses