CVE-2026-46586

HIGH EPSS 41.8%

Published May 19, 20261mo ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Published May 19, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

CVSS Details

Base Score

8.8

Exploitability

2.8

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

41.8% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

CWE-95

Affected Products 1

Vendor	Product	Version	Range
apache	ofbiz	*	<24.09.06

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/05/19/30
lists.apache.org https://lists.apache.org/thread/7mgjl81nrpxqtfcg6h5qtrx7wztbl4js

Mailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.