CVE-2026-50223

CVE-2026-50223: Apache OFBiz: DataResource Low-Privileged Authenticated FreeMarker Template Injection Leads to Remote Code Execution

Vendor Apache Software Foundation

Product Apache OFBiz

Weakness CWE-94 · Code injection

Published June 10, 2026

Last update June 12, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.

Key dates

Disclosure timeline

June 10, 2026 CVE published

June 12, 2026 Record updated