CVE-2026-31379 PUBLISHED

Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager

Assigner: apache
Reserved: 09.03.2026 Published: 19.05.2026 Updated: 19.05.2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache OFBiz
Versions	Default: unaffected affected from 0 to 24.09.06 (excl.)

Credits

Sho Odagiri of GMO Cybersecurity by Ierae, Inc. reporter
Emily Bishop of 992labs reporter

References

https://lists.apache.org/thread/1tcnkxjm0s6n1ohfb21brl25dt0hv9by

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-94 Improper Control of Generation of Code ('Code Injection') CWE