CVE-2026-29207

MEDIUM

Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component

Title source: cna

Description

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/3rcrp8bh3x6ovrj5xnc0fm1f0nrn52r0

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/19/14

Scores

CVSS v3 6.5

EPSS 0.0015

EPSS Percentile 34.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1336

Status published

Products (2)

apache/ofbiz < 24.09.06

Apache Software Foundation/Apache OFBiz < 24.09.06

Published May 19, 2026

Tracked Since May 19, 2026