Description
A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in codelibs Fess version 15.5.1 and earlier allows an attacker to submit arbitrary code through the content argument of the AdminDesignAction.update method. The unvalidated input can be executed by the JSP File Handler, giving the attacker the ability to run malicious code on the server. The weakness is catalogued as CWE-74 and CWE-94, and the description states that the exploit may be performed from remote and that the vulnerability has been publicly disclosed.

Affected Systems

codelibs Fess, all releases up to and including 15.5.1 are affected. No specific policy or patch level is noted beyond the general statement that the vulnerability exists in these versions.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the medium severity range, but the lack of further mitigation or vendor response, combined with a publicly available exploit, raises the likelihood of real‑world use. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector, inferred from the description, is a remote web‑application request that manipulates the content parameter of the design file update feature. No additional exploitation conditions are described beyond remote access to the vulnerable JSP endpoint.

Generated by OpenCVE AI on May 9, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade codelibs Fess to the latest version that removes the vulnerable AdminDesignAction logic
  • If an upgrade is not immediately possible, sanitize or whitelist the content parameter before it is processed or rendered by the JSP engine to eliminate executable payloads
  • Deploy a web application firewall or other request filtering that blocks common code‑injection patterns on the AdminDesignAction endpoint
  • Monitor server logs and security alerts for signs of attempted injection or arbitrary code execution

Generated by OpenCVE AI on May 9, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Codelibs
Codelibs fess
Vendors & Products Codelibs
Codelibs fess

Sat, 09 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title codelibs Fess JSP File AdminDesignAction.java update code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codelibs Fess
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T22:15:38.888Z

Reserved: 2026-05-09T06:09:47.025Z

Link: CVE-2026-8211

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T23:16:32.930

Modified: 2026-05-09T23:16:32.930

Link: CVE-2026-8211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T00:00:13Z

Weaknesses