CVE-2026-46586
Apache · OFBiz
Apache OFBiz is vulnerable to code injection and eval injection, which may allow attackers to execute arbitrary code.
Executive summary
Apache OFBiz is susceptible to critical code injection and eval injection vulnerabilities that could allow for remote code execution.
Vulnerability
The software suffers from improper control of code generation and improper neutralization of directives in dynamically evaluated code, which can be exploited by an attacker to perform code injection.
Business impact
A CVSS score of 7.3 highlights a significant risk, as code injection vulnerabilities often allow for complete system compromise, including unauthorized data access and lateral movement within the network. This represents a severe threat to the availability and confidentiality of the Apache OFBiz environment.
Remediation
Immediate Action: Immediately apply the latest security patches provided by the Apache Software Foundation for OFBiz.
Proactive Monitoring: Monitor server logs for suspicious system calls or unexpected dynamic evaluation of inputs that deviate from normal application behavior.
Compensating Controls: Deploy a WAF with strict input validation rules to inspect and filter malicious payloads targeting dynamic code evaluation functions.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the critical nature of code injection, organizations running Apache OFBiz should treat this as a high-priority task. Ensure all instances are patched to the latest version to prevent potential remote code execution by unauthorized actors.