CVE-2025-26865

Published Mar 10, 2025

Last updated 24 days ago

CVSS low 3.5

Overview

Description
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.   It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.
Source
security@apache.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.5
Impact score
2.5
Exploitability score
0.9
Vector string
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity
LOW

Weaknesses

security@apache.org
CWE-1336

Social media

Hype score
Not currently trending

  1. CVE-2025-26865: Apache OFBiz Vulnerability Could Lead to Remote Code Execution https://t.co/7stMOdziOX https://t.co/t5uMpEA1IR

    @freedomhack101

    13 Mar 2025

    20 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️ Vulnerability Alert: Apache OFBiz Vulnerability Could Lead to Remote Code Execution 📅 Timeline: Disclosure: 2025-03-10, Patch: 2025-03-10 🆔cveId: CVE-2025-26865 📊baseScore: 3.5 📏cvssMetrics: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N cvssSeverity: Medium 🟡 📈 EPSS…

    @syedaquib77

    12 Mar 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-26865 Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. … https://t.co/EOXwyFcBdx

    @CVEnew

    10 Mar 2025

    228 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨CVE-2025-26865: Apache OFBiz RCE via SSTI🚨 ⚠ Apache OFBiz is vulnerable to Server-Side Template Injection (SSTI) in the ecommerce plugin, potentially leading to Remote Code Execution (RCE). ZoomEye Dork👉app="Apache OFBiz" 741 instances found exposed ZoomEye Link:… https://t.

    @zoomeye_team

    10 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. CVE-2025-26865: Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE https://t.co/eQwz8v3QqK

    @oss_security

    7 Mar 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References