CVE-2026-46586

Source
https://cve.org/CVERecord?id=CVE-2026-46586
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46586.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46586
Published
2026-05-19T09:41:39.546Z
Modified
2026-07-08T08:13:39.348113342Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution
Details

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "24.09.06"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "fixed": "24.09.06"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46586.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-94",
        "CWE-95"
    ]
}
References

Affected packages

Git / github.com/apache/ofbiz-framework

Affected ranges

Type
GIT
Repo
https://github.com/apache/ofbiz-framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "24.09.06"
        }
    ]
}

Affected versions

release24.*
release24.09.01
release24.09.02
release24.09.03
release24.09.04
release24.09.05

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46586.json"