CVE-2025-26865

LOW

Apache OFBiz <18.12.18 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-26865. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository documents CVE-2025-26865, a regression in Apache OfBiz that reintroduces a FreeMarker Server-Side Template Injection (SSTI) vulnerability via the 'ecommerce' plugin, potentially leading to RCE. It references the original CVE-2022-25813 for exploitation details.

Description

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.

Exploits (1)

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2025-26865

View Code ZIP pw:eip

This repository documents CVE-2025-26865, a regression in Apache OfBiz that reintroduces a FreeMarker Server-Side Template Injection (SSTI) vulnerability via the 'ecommerce' plugin, potentially leading to RCE. It references the original CVE-2022-25813 for exploitation details.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OfBiz 18.12.18

Auth required

Prerequisites: Valid user credentials or registration · Administrative user interaction

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2025/03/07/1

Product mitigation release-notes product

https://ofbiz.apache.org/download.html

Vendor Advisory patch

https://ofbiz.apache.org/security.html

Issue Tracking, Patch issue-tracking

https://issues.apache.org/jira/browse/OFBIZ-12594

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7

Scores

CVSS v3 3.5

EPSS 0.0062

EPSS Percentile 44.9%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1336

Status published

Products (1)

apache/ofbiz 18.12.17

Published Mar 10, 2025

Tracked Since Feb 18, 2026