CVE-2026-8211

MEDIUM

codelibs Fess JSP File AdminDesignAction.java update code injection

Title source: cna

Description

A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-362419 | codelibs Fess JSP File AdminDesignAction.java update code injection

https://vuldb.com/vuln/362419

Signature, Permissions Required signature permissions-required

VDB-362419 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/362419/cti

Third Party Advisory third-party-advisory

Submit #804293 | CodeLibs Fess 15.5.1 Arbitrary File Write

https://vuldb.com/submit/804293

Exploit exploit

https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink

Scores

CVSS v3 4.7

EPSS 0.0024

EPSS Percentile 15.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-94

Status published

Products (2)

codelibs/Fess 15.5.0

codelibs/Fess 15.5.1

Published May 09, 2026

Tracked Since May 10, 2026