Skip to main content

Apache OFBiz CVE-2026-50223

| EUVD-2026-36167 CRITICAL
Code Injection (CWE-94)
2026-06-10 GHSA-862q-5rrg-cc9p
RCE Apache Code Injection
Share

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 02:00 EUVD
Analysis Generated
Jun 10, 2026 - 18:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 2

News 12 New Apache Vulnerabilities - 6 Critical, 6 High Severity Jun 11, 2026 News Critical RCE in Apache OFBiz via FreeMarker SSTI - CVE-2026-50223 Jun 10, 2026

AnalysisAI

Remote code execution in Apache OFBiz before 24.09.07 is achievable by low-privileged authenticated users who possess Content/DataResource editing privileges, via FreeMarker server-side template injection. The vulnerability arises from insufficient controls over template generation within the DataResource editing interface, allowing injected template directives to be evaluated by the FreeMarker engine with server-side execution context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege OFBiz account with Content/DataResource role
Delivery
Access DataResource/Content template editor
Exploit
Inject malicious FreeMarker template payload
Execution
Server evaluates template via FreeMarker engine
Persist
Execute arbitrary code in JVM context
Impact
Achieve full server-side command execution
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete prerequisites: (1) a valid authenticated session on the OFBiz instance - unauthenticated access is not sufficient; and (2) the authenticated account must hold the Content/DataResource editing privilege specifically within OFBiz's permission system. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided with this advisory, so quantitative scoring signals (attack vector, complexity, privileges, scope) cannot be cited from NVD data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privileged OFBiz account - such as a contractor, internal user, or compromised credential - who has been granted Content/DataResource editing rights navigates to the content editing interface and submits a crafted FreeMarker template payload embedding Java execution directives. The OFBiz server processes the template through the FreeMarker engine without sufficient sandboxing, causing the injected code to execute in the JVM context of the OFBiz application server, yielding arbitrary command execution at the privilege level of the application process user.
Remediation The vendor-released patch is Apache OFBiz version 24.09.07, which directly resolves this template injection vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Apache OFBiz deployments, identify the installed versions, and document all users and service accounts with Content/DataResource editing privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50223 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy