CVE-2026-46586

Apache · OFBiz

Apache OFBiz is vulnerable to code injection and eval injection, which may allow attackers to execute arbitrary code.

Executive summary

Apache OFBiz is susceptible to critical code injection and eval injection vulnerabilities that could allow for remote code execution.

Vulnerability

The software suffers from improper control of code generation and improper neutralization of directives in dynamically evaluated code, which can be exploited by an attacker to perform code injection.

Business impact

A CVSS score of 7.3 highlights a significant risk, as code injection vulnerabilities often allow for complete system compromise, including unauthorized data access and lateral movement within the network. This represents a severe threat to the availability and confidentiality of the Apache OFBiz environment.

Remediation

Immediate Action: Immediately apply the latest security patches provided by the Apache Software Foundation for OFBiz.

Proactive Monitoring: Monitor server logs for suspicious system calls or unexpected dynamic evaluation of inputs that deviate from normal application behavior.

Compensating Controls: Deploy a WAF with strict input validation rules to inspect and filter malicious payloads targeting dynamic code evaluation functions.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the critical nature of code injection, organizations running Apache OFBiz should treat this as a high-priority task. Ensure all instances are patched to the latest version to prevent potential remote code execution by unauthorized actors.