CVE-2025-54466

CVE-2025-54466: Apache OFBiz: RCE Vulnerability in scrum plugin

Vendor Apache Software Foundation

Product Apache OFBiz

Weakness CWE-94 · Code injection

Published August 15, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

Key dates

Disclosure timeline

August 15, 2025 CVE published

February 26, 2026 Record updated