Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
AnalysisAI
Authenticated code injection in Apache OFBiz versions prior to 24.09.06 allows remote attackers with low-privileged accounts to execute arbitrary code via improperly neutralized directives in dynamically evaluated expressions. The flaw combines CWE-94 code injection with eval injection, yielding full confidentiality, integrity, and availability impact (CVSS 8.8). No public exploit identified at time of analysis, and EPSS rates near-term exploitation at 0.03% (8th percentile), but SSVC flags the issue as automatable, raising the risk of scripted abuse once a POC emerges.
Technical ContextAI
Apache OFBiz is an open-source enterprise resource planning (ERP) suite providing CRM, e-commerce, accounting, manufacturing, and supply-chain modules built on a Java stack with Groovy-based scripting and a service engine that supports dynamic expression evaluation. The CWE-94 (Improper Control of Generation of Code) root cause indicates that user-controllable input reaches an interpreter - historically in OFBiz this has involved Groovy/BeanShell evaluation through view handlers, screen widgets, or service URI parameters - allowing attacker-supplied directives to be parsed and executed by the runtime. The CPE entry cpe:2.3:a:apache_software_foundation:apache_ofbiz:*:*:*:*:*:*:*:* confirms the Apache Software Foundation product as the sole affected platform, with the eval-injection variant suggesting the sink is a dynamic evaluator (e.g., GroovyShell, ScriptEngine, or UEL) rather than a static template renderer.
RemediationAI
Vendor-released patch: 24.09.06 - upgrade Apache OFBiz to 24.09.06 or later as documented in the Apache advisory at https://lists.apache.org/thread/7mgjl81nrpxqtfcg6h5qtrx7wztbl4js. Until the upgrade can be deployed, restrict network reachability of the OFBiz web tier to trusted internal ranges (block public ingress on 443/8443/1099), audit user accounts to remove self-registration or low-privilege accounts not strictly required, and consider disabling unused webapps and view handlers that expose dynamic expression evaluation endpoints (groovyProgram, ViewHandlerExceptionEventHandler, and similar) via the relevant component.xml/controller.xml - note that disabling these will break customizations and integrations that depend on Groovy scripting. A WAF rule blocking requests that contain serialized Groovy/Java expressions or known OFBiz eval-sink query parameters can buy time but will not catch novel payload encodings, so it should be considered compensating rather than terminating control. Validate the patched version against the EUVD entry EUVD-2026-30876 before declaring closure.
More in Apache Ofbiz
View allSame weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30876
GHSA-rqcv-xm6x-2p88