Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Apache OFBiz — Vulnerabilities & Security Advisories 55

All 55 CVE vulnerabilities found in Apache OFBiz, with AI-generated Chinese analysis, references, and POCs.

This page catalogs security vulnerabilities associated with the Apache OFBiz application framework, categorized under common weakness enumeration tags. It aggregates vulnerability data specifically related to this open-source enterprise resource planning and e-commerce platform developed by the Apache Software Foundation. The collection includes a wide range of security flaws, such as cross-site scripting, SQL injection, authentication bypasses, and file inclusion errors. The data spans from the early 2000s through the present day, covering the entire historical lifespan of the software’s major releases and security patches. Readers can use this resource to track vendor advisories issued by the Apache Project, understand the prevalence and impact of specific weakness classes within this particular codebase, and look up the detailed vulnerability history of Apache OFBiz. This comprehensive overview helps security professionals assess risk exposure by providing context on how often specific types of vulnerabilities have affected the product over time. By centralizing this information, the page facilitates deeper analysis of the software’s security posture and aids in identifying trends in defect discovery and remediation. It serves as a historical record for auditing purposes and helps organizations understand the evolution of security practices within the Apache OFBiz ecosystem. This resource is intended for developers, security analysts, and IT administrators who need to evaluate the current state of known issues.

Vendor: Apache Software Foundation

CVE IDTitleCVSSSeverityPublished
CVE-2026-46586 Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution CWE-94--2026-05-19
CVE-2026-45434 Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE CWE-287--2026-05-19
CVE-2026-45187 Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs CWE-285--2026-05-19
CVE-2026-41919 Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN Construction CWE-90--2026-05-19
CVE-2026-35086 Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services CWE-94--2026-05-19
CVE-2026-31986 Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection CWE-321--2026-05-19
CVE-2026-31910 Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access CWE-918--2026-05-19
CVE-2026-31909 Apache OFBiz: Unauthenticated Shipment Label Image Disclosure CWE-200--2026-05-19
CVE-2026-31906 Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters CWE-79--2026-05-19
CVE-2026-31388 Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature CWE-284--2026-05-19
CVE-2026-31387 Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation CWE-287--2026-05-19
CVE-2026-31380 Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass CWE-917--2026-05-19
CVE-2026-31379 Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager CWE-79--2026-05-19
CVE-2026-31378 Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution CWE-20--2026-05-19
CVE-2026-29226 Apache OFBiz: Low-Privilege SSRF in Content Component CWE-918--2026-05-19
CVE-2026-29207 Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component CWE-1336--2026-05-19
CVE-2026-29220 Apache OFBiz: Low-Privilege LFI in Content Component CWE-22--2026-05-19
CVE-2025-61623 Apache OFBiz: Reflected Cross-site Scripting CWE-79 6.1 -2025-11-12
CVE-2025-59118 Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload CWE-434 9.8 -2025-11-12
CVE-2025-54466 Apache OFBiz: RCE Vulnerability in scrum plugin CWE-94 9.8AICriticalAI2025-08-15
CVE-2025-30676 Apache OFBiz: Stored XSS Vulnerability CWE-80 6.1 -2025-04-01
CVE-2025-26865 Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE CWE-1336 9.8 -2025-03-10
CVE-2024-47208 Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE CWE-918 9.8AICriticalAI2024-11-18
CVE-2024-48962 Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE) CWE-94 8.8AIHighAI2024-11-18
CVE-2024-45195 Apache OFBiz: Confused controller-view authorization logic (forced browsing) CWE-425 9.1AICriticalAI2024-09-04
CVE-2024-45507 Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE CWE-918 9.8AICriticalAI2024-09-04
CVE-2024-38856 Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code CWE-863 5.6AIMediumAI2024-08-05
CVE-2024-36104 Apache OFBiz: Path traversal leading to a RCE CWE-22 7.5AIHighAI2024-06-04
CVE-2024-32113 Apache OFBiz: Path traversal leading to RCE CWE-22 7.5AIHighAI2024-05-08
CVE-2024-23946 Apache OFBiz: Path traversal or file inclusion CWE-22 9.1 -2024-02-28

All 55 known CVE vulnerabilities affecting Apache OFBiz with full Chinese analysis, references, and POCs where available.