cbcvebase.
CVE-2025-13426
published 2025-12-05

CVE-2025-13426: A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote…

PriorityP264high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUClear
EPSS
0.39%
30.5th percentile
A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

Affected

6 ranges
VendorProductVersion rangeFixed in
google_cloudapigee_hybrid_javacallout_policy< Hybrid_1.11.2Hybrid_1.11.2
google_cloudapigee_hybrid_javacallout_policy< Hybrid_1.12.4Hybrid_1.12.4
google_cloudapigee_hybrid_javacallout_policy< Hybrid_1.13.3Hybrid_1.13.3
google_cloudapigee_hybrid_javacallout_policy< Hybrid_1.14.1Hybrid_1.14.1
google_cloudapigee_hybrid_javacallout_policy< OPDK_5202OPDK_5202
google_cloudapigee_hybrid_javacallout_policy< OPDK_5300OPDK_5300
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.