CVE-2025-26865Improper Neutralization of Special Elements Used in a Template Engine in Software Foundation Apache Ofbiz

CWE-1336Improper Neutralization of Special Elements Used in a Template Engine4 documents4 sources
Severity
3.5LOWNVD
EPSS
0.3%
top 43.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache OfbizApache Ofbiz
Timeline
PublishedMar 10

Description

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users ar

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 0.9 | Impact: 2.5

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_ofbiz18.12.1718.12.18
NVDapache/ofbiz18.12.17

Patches

Patch: issues.apache.org

🔴Vulnerability Details

2
GHSA
GHSA-p9r8-xjx7-v86q: Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz2025-03-10
CVEList
Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE2025-03-10

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2025-26865
CVE-2025-26865 — LOW severity | cvebase