CVE-2025-26865

LOW

Apache OFBiz <18.12.18 - Info Disclosure

Title source: llm

Description

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.

Exploits (1)

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2025-26865

View Code ZIP pw:eip

References (5)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/03/07/1

[Product] https://ofbiz.apache.org/download.html

[Vendor Advisory] https://ofbiz.apache.org/security.html

[Issue Tracking, Patch] https://issues.apache.org/jira/browse/OFBIZ-12594

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7

Scores

CVSS v3 3.5

EPSS 0.0040

EPSS Percentile 60.8%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1336

Status published

Products (1)

apache/ofbiz 18.12.17

Published Mar 10, 2025

Tracked Since Feb 18, 2026