CVE-2026-46586 PUBLISHED

Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution

Assigner: apache
Reserved: 15.05.2026 Published: 19.05.2026 Updated: 19.05.2026

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache OFBiz
Versions	Default: unaffected affected from 0 to 24.09.06 (excl.)

Credits

lwd3c finder

References

https://lists.apache.org/thread/7mgjl81nrpxqtfcg6h5qtrx7wztbl4js

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection') CWE
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE