Description
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Apache OFBiz arises from improper handling of input parameters in FreeMarker templates, allowing an attacker to inject arbitrary FreeMarker expressions. When an attacker supplies a crafted value for a duplicated parameter, the sanitization step can be bypassed, enabling the template engine to evaluate malicious code. Based on the description, it is inferred that the injected expression may enable an attacker to compromise the application’s security posture.

Affected Systems

Products affected are Apache OFBiz versions prior to 24.09.06. All deployments using those releases are vulnerable until the application is upgraded to 24.09.06 or later, where the fix was implemented.

Risk and Exploitability

The CVSS score is 6.5, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting current exploitation activity is unknown. Based on the description, it is inferred that attackers would need to supply malicious input to a user‑controllable field that is rendered in a FreeMarker template. If the application exposes such a field without proper authorization checks, exploitation can occur with minimal prerequisites.

Generated by OpenCVE AI on May 19, 2026 at 15:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or later to apply the vendor’s fix.
  • Audit and harden template handling by enforcing strict input validation and reducing template exposure to user data; limit template rendering to trusted data only.
  • Implement request handling logic to reject or collapse duplicate parameters before they reach the template engine, thereby preventing the sanitization bypass.

Generated by OpenCVE AI on May 19, 2026 at 15:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass
Weaknesses CWE-917
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T18:37:14.491Z

Reserved: 2026-03-09T08:59:41.152Z

Link: CVE-2026-31380

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:14.491Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:23.377

Modified: 2026-05-19T19:16:47.500

Link: CVE-2026-31380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:15:08Z

Weaknesses