CVE-2025-54466

CWE-94 — Code Injection4 documents4 sources

Severity

9.8CRITICAL

EPSS

0.2%

top 60.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Ofbiz Apache Ofbiz

Timeline

PublishedAug 15

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/ofbiz< 24.09.02

▶CVEListV5apache_software_foundation/apache_ofbiz< 24.09.02

Patches

Patch: issues.apache.org ↗

🔴Vulnerability Details

CVEList

Apache OFBiz: RCE Vulnerability in scrum plugin↗2025-08-15

▶

GHSA

GHSA-7vg9-49f9-pfxr: Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin↗2025-08-15

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2025-54466↗

▶