CVE-2025-54466

CRITICAL LAB

Apache Ofbiz < 24.09.02 - Code Injection

Title source: rule

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-54466

View Code ZIP pw:eip

References (6)

[Patch] https://issues.apache.org/jira/browse/OFBIZ-13276

[Mailing List, Third Party Advisory] https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915

[Product] https://ofbiz.apache.org/download.html

[Release Notes] https://ofbiz.apache.org/release-notes-24.09.02.html

[Vendor Advisory] https://ofbiz.apache.org/security.html

[Mailing List] http://www.openwall.com/lists/oss-security/2025/08/05/1

Scores

CVSS v3 9.8

EPSS 0.0019

EPSS Percentile 41.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

EIP LAB

Lab screenshot

vulnerable docker pull ghcr.io/exploitintel/cve-2025-54466-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-94

Status published

Products (1)

apache/ofbiz < 24.09.02

Published Aug 15, 2025

Tracked Since Feb 18, 2026