CVE-2026-46586

CVE-2026-46586: Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution

Vendor Apache Software Foundation

Product Apache OFBiz

Weakness CWE-94 · Code injection

Published May 19, 2026

Last update May 20, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Key dates

Disclosure timeline

May 19, 2026 CVE published

May 20, 2026 Record updated