CVE-2026-50223
published 2026-06-10CVE-2026-50223: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.66%
46.8th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution.
This issue affects Apache OFBiz: before 24.09.07.
Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | ofbiz | < 24.09.07 | 24.09.07 |
| apache_software_foundation | apache_ofbiz | < 24.09.07 | 24.09.07 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template inje
ghsa_unreviewed·2026-06-11
CVE-2026-50223 CWE-94 Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template inje
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution.
This issue affects Apache OFBiz: before 24.09.07.
Users are recommended to upgrade to version 24.09.07, which fixes the issue.
VulDB
Apache OFBiz up to 24.09.06 FreeMarker Template special elements used in a template engine
vuldb·2026-06-10·CVSS 8.8
CVE-2026-50223 [HIGH] Apache OFBiz up to 24.09.06 FreeMarker Template special elements used in a template engine
A vulnerability classified as critical has been found in Apache OFBiz. This affects an unknown function of the component FreeMarker Template Handler. Performing a manipulation results in improper neutralization of special elements used in a template engine.
This vulnerability is reported as CVE-2026-50223. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published