Omnifaces
Monthly
Remote code execution in OmniFaces CDNResourceHandler allows unauthenticated attackers to execute arbitrary code on servers via crafted EL injection in resource URLs. The vulnerability affects applications using wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*), where attackers can embed Expression Language expressions in resource request names that get evaluated server-side. Patched versions available across all maintained branches (1.14.2, 2.7.32, 3.14.16, 4.7.5, 5.2.3). EPSS data unavailable; not currently in CISA KEV, suggesting limited active exploitation at time of analysis.
Remote code execution in OmniFaces CDNResourceHandler allows unauthenticated attackers to execute arbitrary code on servers via crafted EL injection in resource URLs. The vulnerability affects applications using wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*), where attackers can embed Expression Language expressions in resource request names that get evaluated server-side. Patched versions available across all maintained branches (1.14.2, 2.7.32, 3.14.16, 4.7.5, 5.2.3). EPSS data unavailable; not currently in CISA KEV, suggesting limited active exploitation at time of analysis.