CVE-2025-54466

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-54466
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54466.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-54466
Published
2025-08-15T15:15:32.360Z
Modified
2026-04-12T17:14:03.998234Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.

This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.

Even unauthenticated attackers can exploit this vulnerability.

Users are recommended to upgrade to version 24.09.02, which fixes the issue.

References

Affected packages

Git / github.com/apache/ofbiz-framework

Affected ranges

Type
GIT
Repo
https://github.com/apache/ofbiz-framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a0fd48e6f8e9f7195805d6c86281b815fb2de892
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "24.09.02"
        }
    ]
}

Affected versions

release24.*
release24.09.01

Database specific

vanir_signatures_modified 
"2026-04-12T17:14:03Z"
vanir_signatures 
[
    {
        "id": "CVE-2025-54466-082710e8",
        "target": {
            "file": "framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/fo/ScreenFopViewHandler.java",
            "function": "render"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "115239135110448458133838827146088054427",
            "length": 4499.0
        },
        "signature_type": "Function",
        "source": "https://github.com/apache/ofbiz-framework/commit/a0fd48e6f8e9f7195805d6c86281b815fb2de892",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2025-54466-b8194ec6",
        "target": {
            "file": "framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/fo/ScreenFopViewHandler.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "249146079106409486859352739705293824872",
                "314012154644596642122118081014475321011",
                "242468568323965799300793993567488478400",
                "251410504749570407709719120966721489550"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/apache/ofbiz-framework/commit/a0fd48e6f8e9f7195805d6c86281b815fb2de892",
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54466.json"