CVE-2026-46586
HIGHApache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-46586. PoCs published by lwd3c.
AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-46586, an authenticated RCE vulnerability in Apache OFBiz. The exploit leverages improper validation in the `traverseContent` service to execute arbitrary Groovy code via the `pickWhen` parameter, leading to command execution on the server.
Description
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Exploits (1)
The repository contains a functional exploit PoC for CVE-2026-46586, an authenticated RCE vulnerability in Apache OFBiz. The exploit leverages improper validation in the `traverseContent` service to execute arbitrary Groovy code via the `pickWhen` parameter, leading to command execution on the server.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H