Description
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue arises from the Apache OFBiz email services’ use of unsafe template expansion, leading to improper code generation. Based on the description, it is inferred that the vulnerability requires authentication, allowing an attacker who can log in to inject and execute arbitrary code on the server. The weakness is identified as a Code Injection vulnerability (CWE‑94). As a result, a compromise would allow full control of the affected system, including data exfiltration, modification, or further lateral movement.

Affected Systems

This vulnerability affects the Apache OFBiz product distributed by the Apache Software Foundation. All releases before version 24.09.06 are impacted. The fix is included in version 24.09.06 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is reported as <1%, implying a very low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers still require authenticated access to the system; upon login they can craft a malicious template that will be expanded and executed on the server. While exploitation evidence is lacking, the combination of moderate severity and the potential to compromise the system fully means organizations should treat the vulnerability as significant and respond promptly.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to Apache OFBiz 24.09.06 or later.
  • If an immediate upgrade is not possible, disable or remove the ability for users to create or submit arbitrary email templates, limiting the scope to authorized administrative accounts only.
  • Monitor login activity and audit logs for unauthorized attempts at template submission until the upgrade is complete.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services
Weaknesses CWE-94
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-20T03:55:19.849Z

Reserved: 2026-04-01T10:11:57.693Z

Link: CVE-2026-35086

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:21.200Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:24.263

Modified: 2026-05-19T19:16:49.850

Link: CVE-2026-35086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')