Apache Ofbiz vulnerabilities

CVE-2026-45434 [CRITICAL] CWE-287 CVE-2026-45434: Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remo Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-41919 [CRITICAL] CWE-90 CVE-2026-41919: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability i Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31986 [CRITICAL] CWE-321 CVE-2026-31986: Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31910 [HIGH] CWE-918 CVE-2026-31910: Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-46586 [HIGH] CWE-94 CVE-2026-46586: Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-29226 [HIGH] CWE-918 CVE-2026-29226: Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31909 [HIGH] CWE-200 CVE-2026-31909: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issu Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31388 [MEDIUM] CWE-284 CVE-2026-31388: Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affec Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31387 [MEDIUM] CWE-287 CVE-2026-31387: Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.0 Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31379 [MEDIUM] CWE-22 CVE-2026-31379: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limit Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 2

CVE-2026-31378 [MEDIUM] CWE-20 CVE-2026-31378: Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24 Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-45187 [MEDIUM] CWE-285 CVE-2026-45187: Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: bef Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-29207 [MEDIUM] CWE-1336 CVE-2026-29207: Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supporte

CVE-2026-29220 [MEDIUM] CWE-22 CVE-2026-29220: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31906 [MEDIUM] CWE-79 CVE-2026-31906: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-31380 [MEDIUM] CWE-917 CVE-2026-31380: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2026-35086 [MEDIUM] CWE-94 CVE-2026-35086: Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVE-2025-59118 [HIGH] CWE-434 CVE-2025-59118: Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects A Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue.

CVE-2025-61623 [MEDIUM] CWE-79 CVE-2025-61623: Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: befo Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue.

CVE-2025-54466 [CRITICAL] CWE-94 CVE-2025-54466: Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the