CVE-2025-33042

HIGH EPSS 44.3%

Published Feb 13, 20264mo ago · Modified Jun 17, 20261w ago

7.3 CVSS 3.1

High

Published Feb 13, 2026 4mo ago

Last Modified Jun 17, 2026 1w ago

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

CVSS Details

Base Score

7.3

Exploitability

3.9

Impact

3.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability Low

Threat Intelligence

EPSS Exploit Probability

44.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 4

Vendor	Product	Version	Range
apache	avro	*	<1.11.5
apache	avro	1.12.0	any
apache	avro	1.12.0	any
apache	avro	1.12.0	any

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/02/12/2

Mailing ListThird Party Advisory
lists.apache.org https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1

Issue TrackingMailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.