CVE-2025-46295

CRITICAL

Claris FileMaker Server - Apache Commons Text Interpolation Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-46295. PoCs published by soliantconsulting.

AI-analyzed exploit summary This repository provides a legitimate automation solution for mitigating CVE-2025-46295 by replacing vulnerable Apache Commons JAR files in FileMaker Server installations. It includes platform-specific scripts for Windows, macOS, and Ubuntu to detect and replace vulnerable JARs with patched versions.

Description

Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4.

Exploits (1)

nomisec WORKING POC 1 stars

by soliantconsulting · poc

https://github.com/soliantconsulting/CVE-2025-46295-fix-fms

View Code ZIP pw:eip

This repository provides a legitimate automation solution for mitigating CVE-2025-46295 by replacing vulnerable Apache Commons JAR files in FileMaker Server installations. It includes platform-specific scripts for Windows, macOS, and Ubuntu to detect and replace vulnerable JARs with patched versions.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: FileMaker Server (all versions with vulnerable Apache Commons JARs)

Auth required

Prerequisites: FileMaker Server installed · Web Publishing Engine enabled · Administrator/sudo privileges

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://support.claris.com/s/answerview?anum=000049059&language=en_US

Scores

CVSS v3 9.8

EPSS 0.0092

EPSS Percentile 55.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

claris/filemaker_server < 22.0.4

Published Dec 16, 2025

Tracked Since Feb 18, 2026