What is the CVSS score of CVE-2026-46586?

CVE-2026-46586 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Apache OFBiz are affected by CVE-2026-46586?

Apache OFBiz versions prior to 24.09.06 contain a code execution vulnerability affecting low-privilege user accounts, enabling attackers to compromise system confidentiality, integrity, and…. A patch is available.

Apache OFBiz CVE-2026-46586

EUVD-2026-30876 HIGH

Code Injection (CWE-94)

2026-05-19 apache

GHSA-rqcv-xm6x-2p88

RCE Apache Code Injection Apache Ofbiz

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 20, 2026 - 17:22 vuln.today

CVSS changed

May 20, 2026 - 17:22 NVD

7.3 (HIGH) 8.8 (HIGH)

Patch available

May 19, 2026 - 11:16 EUVD

CVE Published

May 19, 2026 - 09:41 nvd

UNKNOWN (no severity yet)

DescriptionNVD

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

AnalysisAI

Authenticated code injection in Apache OFBiz versions prior to 24.09.06 allows remote attackers with low-privileged accounts to execute arbitrary code via improperly neutralized directives in dynamically evaluated expressions. The flaw combines CWE-94 code injection with eval injection, yielding full confidentiality, integrity, and availability impact (CVSS 8.8). …

RemediationAI

24 hours: Identify and document all OFBiz deployments in production and non-production environments; restrict OFBiz access to approved users pending remediation. 7 days: Upgrade all OFBiz instances to version 24.09.06 or later; complete testing in staging environment before production rollout. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue

CVE-2026-44598 MEDIUM This Month

5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

CVE-2026-46586 vulnerability details – vuln.today

Back

Apache OFBiz CVE-2026-46586

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code