Skip to main content

Java CVE-2026-28228

| EUVD-2026-17201 HIGH
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-03-30 GitHub_M
Java Tomcat Ssti Code Injection
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:10 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
20.2.5,20.1.18,19.1.31
EUVD ID Assigned
Mar 30, 2026 - 21:00 euvd
EUVD-2026-17201
Analysis Generated
Mar 30, 2026 - 21:00 vuln.today
CVE Published
Mar 30, 2026 - 20:31 nvd
HIGH 8.8

DescriptionNVD

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder is processed (either triggered manually or via the daily cron job), the injected directives are evaluated server-side. By chaining Velocity's #set directive with Java reflection, an attacker can instantiate arbitrary Java classes such as java.lang.ProcessBuilder and execute operating system commands with the privileges of the Tomcat process (typically root in containerized deployments). This issue has been patched in versions 19.1.31, 20.1.18, and 20.2.5.

AnalysisAI

Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Author user
Delivery
Inject Velocity directives into reminder email template
Exploit
Submit malicious template
Execution
Trigger reminder processing via cron or manual action
Persist
Server evaluates injected directives
Impact
Execute arbitrary OS commands via ProcessBuilder reflection
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated user account with Author role in OpenOlat versions prior to 19.1.31, 20.1.18, and 20.2.5. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This represents a critical real-world risk despite requiring authenticated access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with OpenOlat Author credentials navigates to the reminder configuration interface and creates a new email reminder template containing malicious Velocity directives such as #set($proc=$class.forName('java.lang.ProcessBuilder').getConstructor($class).newInstance()) to instantiate ProcessBuilder, followed by reflection calls to invoke exec() with system commands like reverse shell payloads or data exfiltration scripts. When the daily cron job processes pending reminders or an administrator manually triggers the reminder, the Velocity engine evaluates the injected template server-side, executing the attacker's commands with the privileges of the Tomcat process. …
Remediation Organizations must immediately upgrade to patched OpenOlat versions: 19.1.31 for the 19.1.x branch, 20.1.18 for the 20.1.x branch, or 20.2.5 for the 20.2.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all OpenOlat instances in production and verify current versions against 19.1.31, 20.1.18, and 20.2.5 baselines; restrict Author role assignments to trusted personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

CVE-2026-28228 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy