The vulnerability is caused by the maven-dependency-plugin configuration in the openapi-to-java-records-mustache-templates-parent artifact, which automatically extracts all .mustache files from the openapi-to-java-records-mustache-templates module whenever a dependency update is performed. Because the plugin does not validate the contents of the extracted files, a compromised openapi-to-java-records-mustache-templates artifact could contain malicious Mustache templates that are unpacked into the build environment. The primary impact is that downstream code that processes these templates could execute unintended logic or code at build time, effectively leading to code execution or other malicious actions. This weakness is identified as CWE‑20 (Improper Input Validation).

The vulnerability affects projects that include the openapi-to-java-records-mustache-templates-parent POM in the range of version 5.1.1 up to, but not including, 5.5.1. The parent POM is published on Maven Central and can be imported by any external project. While it was not intended for external use, its public exposure means that any project incorporating it could be exposed to unpacking of arbitrary .mustache files. The fix is provided in the v3.5.1 release of openapi-to-java-records-mustache-templates-parent which removes the automatic unpacking behavior.

The CVSS score for this vulnerability is 2.3, indicating low severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low current exploitation risk. However, exploitation requires only that an attacker publish a tampered openapi-to-java-records-mustache-templates artifact and that a user incorporate the vulnerable parent POM into their build. The attack vector is inferred as build‑time injection, and there are no publicly documented exploits at the time of writing.