CVE-2026-41883 - Vulnerability Details

- OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

Description

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.

Published: 2026-05-08

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a server‑side expression language injection in OmniFaces. An attacker can embed an EL expression in the resource name used by a CDN resource handler when a wildcard mapping is configured. The expression is evaluated by the server, allowing arbitrary code execution. This flaw results in complete compromise of confidentiality, integrity, and availability of the affected application.

Affected Systems

The library OmniFaces, regardless of major version, is affected when the installed version is older than 1.14.2, 2.7.32, 3.14.16, 4.7.5, or 5.2.3. The issue surfaces in any application that employs CDNResourceHandler with a wildcard CDN mapping such as libraryName:*=https://cdn.example.com/*.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. Because the flaw processes user-supplied resource names, an attacker can exploit it remotely over the network without prior authentication. No evidence of exploitation is recorded in the CISA KEV catalog, and EPSS information is not available. The likely attack vector is a crafted HTTP request that includes an EL expression in the requested resource name.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

omnifaces

affected

Version	Status	Constraints
`< 1.14.2`	affected	—
`>= 2.0-RC1, < 2.7.32`	affected	—
`>= 3.0-RC1, < 3.14.16`	affected	—
`>= 4.0-M1, < 4.7.5`	affected	—
`>= 5.0-M1, < 5.2.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OmniFaces to the patched versions: 1.14.2 or newer, 2.7.32 or newer, 3.14.16 or newer, 4.7.5 or newer, and 5.2.3 or newer. This is the definitive fix.
Disable or remove CDNResourceHandler wildcard mappings in the application configuration so that no user-supplied resource names can be interpreted as EL. Use explicit mappings or local resources instead.
Implement a Web Application Firewall rule or regular‑expression filter that blocks requests containing EL syntaxes such as #{…} or ${…}, and monitor logs for attempts.

Generated by OpenCVE AI on May 8, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vp6r-9m58-5xv8	OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00253.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8

History

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 08 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:=https://cdn.example.com/). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.
Title		OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Weaknesses		CWE-917
References		https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T15:36:34.133Z

Updated: 2026-05-08T19:40:03.022Z

Reserved: 2026-04-22T15:11:54.670Z

Link: CVE-2026-41883

Vulnrichment

Updated: 2026-05-08T19:39:33.976Z

NVD

Status : Received

Published: 2026-05-08T16:16:11.760

Modified: 2026-05-08T16:16:11.760

Link: CVE-2026-41883

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T18:00:16Z

Weaknesses

CWE-917

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object