CVEFinder.io

CVE-2026-29207

🔶 medium
🔍 Scan for this CVE
Summary

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to r

Description

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported.

Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well.

CVSS Score
6.5
Medium
EPSS Score
0.2
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.8% of all 326,604 vulnerabilities in our database.

#170,379
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 19, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Lidor B / thisis0xczar of Novee Security (reporter) Sho Odagiri of GMO Cybersecurity by Ierae, Inc. (reporter)
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE IDs (Weakness Types)
CWE-1336

📦 Affected Products 1

Vendor Product Status Affected Versions
apache ofbiz Affected
< 24.09.06

🔗 References 2

https://lists.apache.org/thread/3rcrp8bh3x6ovrj5xnc0...
Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/1...

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-29220 🔶 medium 6.5 0.4 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issu... 2026-05-19
CVE-2026-29226 ⚠️ high 7.3 0.1 Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects A... 2026-05-19
CVE-2026-31378 🔶 medium 6.5 0.3 Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are r... 2026-05-19
CVE-2026-31379 🔶 medium 6.1 0.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname ... 2026-05-19
CVE-2026-31380 🔶 medium 6.5 0.2 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') v... 2026-05-19
CVE-2026-31387 🔶 medium 5.3 0.1 Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are rec... 2026-05-19
These CVEs affect the same products