Description
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue arises from the Apache OFBiz email services’ use of unsafe template expansion, leading to improper code generation. Based on the description, it is inferred that the vulnerability requires authentication, allowing an attacker who can log in to inject and execute arbitrary code on the server. The weakness is identified as a Code Injection vulnerability (CWE‑94). As a result, a compromise would allow full control of the affected system, including data exfiltration, modification, or further lateral movement.

Affected Systems

This vulnerability affects the Apache OFBiz product distributed by the Apache Software Foundation. All releases before version 24.09.06 are impacted. The fix is included in version 24.09.06 and later.

Risk and Exploitability

No EPSS data or KEV listing is available, and the CVSS score is not published. Based on the description, it is inferred that the attack requires authenticated users or a successful login. Once authenticated, an attacker can supply a crafted template to trigger code execution. The lack of public exploit evidence suggests the threat is moderate to high, but organizations should treat the vulnerability as significant due to the potential for complete system takeover.

Generated by OpenCVE AI on May 19, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to Apache OFBiz 24.09.06 or later.
  • If an immediate upgrade is not possible, disable or remove the ability for users to create or submit arbitrary email templates, limiting the scope to authorized administrative accounts only.
  • Monitor login activity and audit logs for unauthorized attempts at template submission until the upgrade is complete.

Generated by OpenCVE AI on May 19, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services
Weaknesses CWE-94
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T09:36:00.229Z

Reserved: 2026-04-01T10:11:57.693Z

Link: CVE-2026-35086

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T10:16:24.263

Modified: 2026-05-19T10:16:24.263

Link: CVE-2026-35086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T12:00:05Z

Weaknesses