Apache Ofbiz
33 CVEs affecting Apache Ofbiz. Latest disclosed: 2026-05-19. Critical: 5, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-45434 | Critical | 9.8 | 2026-05-19 | Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before… |
CVE-2012-1622 | Critical | 9.8 | 2017-10-26 | Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. |
CVE-2016-2170 | Critical | 9.8 | 2016-04-12 | Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, rel… |
CVE-2026-41919 | Critical | 9.1 | 2026-05-19 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24… |
CVE-2026-31986 | Critical | 9.1 | 2026-05-19 | Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to vers… |
CVE-2026-46586 | High | 8.8 | 2026-05-19 | Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability… |
CVE-2016-4462 | High | 8.8 | 2017-08-30 | By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflecte… |
CVE-2026-31910 | High | 7.5 | 2026-05-19 | Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to versi… |
CVE-2026-31909 | High | 7.5 | 2026-05-19 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recomme… |
CVE-2026-29226 | High | 7.3 | 2026-05-19 | Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users ar… |
CVE-2026-45187 | Medium | 6.5 | 2026-05-19 | Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version… |
CVE-2026-35086 | Medium | 6.5 | 2026-05-19 | Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. … |
CVE-2026-31380 | Medium | 6.5 | 2026-05-19 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This iss… |
CVE-2026-31378 | Medium | 6.5 | 2026-05-19 | Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09… |
CVE-2026-29220 | Medium | 6.5 | 2026-05-19 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06… |
CVE-2026-29207 | Medium | 6.5 | 2026-05-19 | Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users… |
CVE-2026-31906 | Medium | 6.1 | 2026-05-19 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24… |
CVE-2026-31379 | Medium | 6.1 | 2026-05-19 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traver… |
CVE-2016-6800 | Medium | 6.1 | 2017-08-30 | The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific pa… |
CVE-2015-3268 | Medium | 6.1 | 2016-04-12 | Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x bef… |