Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz is vulnerable to reflected cross‑site scripting because certain modal dialog parameters are not properly HTML attribute escaped. As a result, an attacker can cause a victim’s browser to execute arbitrary JavaScript when a crafted URL is accessed, potentially exposing session data or enabling drive‑by attacks. The weakness falls under CWE‑79.

Affected Systems

The vulnerability affects all deployments of Apache OFBiz older than version 24.09.06. No specific sub‑products are listed separately; the issue is present across the application before that release.

Risk and Exploitability

With a CVSS score of 6.1, the vulnerability is considered moderate. The EPSS score of < 1% indicates a low likelihood of exploitation in the wild. It is still not listed in the CISA KEV catalog. The flaw can be exploited via the web interface, requiring an attacker to craft a malicious URL that a victim will click or be tricked into visiting. Because it is a reflected XSS, the impact includes execution of arbitrary JavaScript in the victim's browser, potentially leading to session hijacking or similar attacks.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06, which includes the proper HTML attribute escaping fix.
  • If upgrading immediately is not possible, restrict or validate the modal dialog parameters so that user input is sanitized or whitelisted before being embedded as an attribute.
  • Deploy an application‑layer web‑application firewall or enforce a strict Content‑Security‑Policy to mitigate the impact of reflected scripting requests while the patch is applied.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters
Weaknesses CWE-79
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T13:54:35.784Z

Reserved: 2026-03-10T07:26:03.778Z

Link: CVE-2026-31906

cve-icon Vulnrichment

Updated: 2026-05-19T13:54:31.509Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T10:16:23.777

Modified: 2026-05-19T16:36:39.527

Link: CVE-2026-31906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses