Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution.

This issue affects Apache OFBiz: before 24.09.07.

Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Published: 2026-06-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a code injection flaw that lets a low-privileged authenticated user with the ability to edit Content/DataResource objects inject arbitrary FreeMarker template code. Such injected code can be executed by the OFBiz application engine, providing the attacker with the ability to run system commands, exfiltrate data, or otherwise compromise the host. The flaw is a direct instance of improper code generation, which falls under the identified weakness category.

Affected Systems

Affected installations are those running Apache OFBiz earlier than version 24.09.07 from the Apache Software Foundation. Any deployment retaining those legacy releases and granting content or data‑resource editing rights to users who are not fully trusted falls within the risk window. The vendor lists all pre‑24.09.07 builds as vulnerable.

Risk and Exploitability

EPSS is < 1%, indicating a very low exploitation probability, and the CVSS score is 8.8, which reflects a high severity level. The vulnerability is not in the CISA KEV catalog, but the confirmed remote code execution capability means that any environment where a low‑privileged user can edit Content/DataResource objects is at risk. The threat model requires an authenticated user with moderate privileges; therefore, the exploit is relatively low in effort but high in impact. The best posture for the environment is to promptly remediate with the vendor’s patch to eliminate the code execution pathway.

Generated by OpenCVE AI on June 11, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to 24.09.07 or any later release that contains the fix.
  • Restrict Content/DataResource editing permissions to trusted administrators only until the upgrade is applied to limit the potential for template injection.
  • Disable or limit the rendering of user supplied data through FreeMarker when not necessary, ensuring that only sanitized inputs are passed to the template engine.
  • Monitor for any unusual template rendering activity and verify that the application logs record no unauthorized template evaluations.

Generated by OpenCVE AI on June 11, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Wed, 10 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Title Apache OFBiz: DataResource Low-Privileged Authenticated FreeMarker Template Injection Leads to Remote Code Execution
Weaknesses CWE-94
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-12T03:55:27.599Z

Reserved: 2026-06-04T09:18:42.609Z

Link: CVE-2026-50223

cve-icon Vulnrichment

Updated: 2026-06-10T22:42:04.290Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:49.777

Modified: 2026-06-12T19:30:46.973

Link: CVE-2026-50223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:45:10Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')