CVE-2025-54466

CRITICAL LAB

Apache Ofbiz < 24.09.02 - Code Injection

Title source: rule

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-54466

View Code ZIP pw:eip

References (6)

[Patch] https://issues.apache.org/jira/browse/OFBIZ-13276

[Mailing List, Third Party Advisory] https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915

[Product] https://ofbiz.apache.org/download.html

[Release Notes] https://ofbiz.apache.org/release-notes-24.09.02.html

[Vendor Advisory] https://ofbiz.apache.org/security.html

[Mailing List] http://www.openwall.com/lists/oss-security/2025/08/05/1

Scores

CVSS v3 9.8

EPSS 0.0015

EPSS Percentile 36.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

Lab screenshot

vulnerable

docker pull ghcr.io/exploitintel/cve-2025-54466-vulnerable:latest

All Labs GitHub

Classification

CWE

CWE-94

Status published

Affected Products (1)

apache/ofbiz < 24.09.02

Timeline

Published Aug 15, 2025

Tracked Since Feb 18, 2026