Skip to main content

OmniFaces EUVDEUVD-2026-28794

| CVE-2026-41883 HIGH
Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)
2026-05-08 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 08, 2026 - 17:02 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:31 vuln.today
Analysis Generated
May 08, 2026 - 16:31 vuln.today
CVE Published
May 08, 2026 - 15:36 nvd
HIGH 8.1

DescriptionGitHub Advisory

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.

AnalysisAI

Remote code execution in OmniFaces CDNResourceHandler allows unauthenticated attackers to execute arbitrary code on servers via crafted EL injection in resource URLs. The vulnerability affects applications using wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*), where attackers can embed Expression Language expressions in resource request names that get evaluated server-side. Patched versions available across all maintained branches (1.14.2, 2.7.32, 3.14.16, 4.7.5, 5.2.3). EPSS data unavailable; not currently in CISA KEV, suggesting limited active exploitation at time of analysis.

Technical ContextAI

OmniFaces is a utility library for Jakarta Server Faces (JSF) that extends standard JSF capabilities. The CDNResourceHandler component enables serving JSF resources (JavaScript, CSS, images) from Content Delivery Networks. The vulnerability stems from CWE-917 (Expression Language Injection), where the handler evaluates user-controlled input as Expression Language expressions when processing wildcard CDN resource mappings. EL is a scripting language used in Jakarta EE for accessing and manipulating data objects in JSF pages. When wildcard mappings are configured, the resource name portion of URLs is processed through EL evaluation without proper sanitization. Depending on the EL implementation (Jakarta EL, JBoss EL, etc.) and available objects in the EL context (application scope beans, system properties, Runtime class access), this can escalate from information disclosure to arbitrary code execution. The affected Maven artifact is org.omnifaces:omnifaces across five major version branches spanning versions before 1.14.2, 2.0-RC1 through 2.7.31, 3.0-RC1 through 3.14.15, 4.0-M1 through 4.7.4, and 5.0 through 5.2.2.

RemediationAI

Upgrade to patched OmniFaces versions immediately if using CDNResourceHandler with wildcard mappings: 1.14.2 for 1.x branch, 2.7.32 for 2.x branch, 3.14.16 for 3.x branch, 4.7.5 for 4.x branch, or 5.2.3 for 5.x branch. Update Maven dependency version in pom.xml and redeploy. If immediate upgrade is not feasible, implement configuration-based workaround by replacing all wildcard CDN mappings (libraryName:*=https://cdn.example.com/*) with explicit resource-to-URL mappings for each individual resource file (libraryName:resource1.js=https://cdn.example.com/resource1.js, libraryName:resource2.js=https://cdn.example.com/resource2.js, etc.). This workaround eliminates the vulnerable code path entirely. Trade-off: explicit mapping maintenance overhead increases when adding new CDN resources, but security risk is eliminated without library upgrade. Organizations not using CDNResourceHandler or using it exclusively with explicit mappings require no action. Verify configuration by reviewing faces-config.xml or programmatic ResourceHandler configuration for wildcard asterisk patterns in CDN mappings. Detailed remediation guidance available at https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8.

Share

EUVD-2026-28794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy