Volerion logoVolerion
Volerion logoVolerion

Apache OFBiz Improper Neutralization of Template Elements Vulnerability Leading to Remote Code Execution

Vulnerability

A server-side template injection vulnerability allowing remote code execution has been identified in Apache OFBiz versions prior to 24.09.06. This issue arises from improper handling of special elements in the template engine. In the updated version, 'Data Resource' records with a dataTemplateTypeId of 'FTL' are no longer supported. Additionally, the 'Ecommerce Customer' security group no longer includes content management grants, and users are advised to remove these permissions from any production site.

Impact

Exploitation of this vulnerability allows for server-side template injection, which can lead to remote code execution on the server.

Remediation

Users are advised to upgrade to Apache OFBiz version 24.09.06 or later. After upgrading, 'Data Resource' records with a dataTemplateTypeId of 'FTL' should be removed, and any content management permissions granted to the 'Ecommerce Customer' security group should be revoked on production sites.

Added: May 19, 2026, 10:34 AM
Updated: May 19, 2026, 10:34 AM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
7.5
exploitability
4.7
remediation
3.1
relevance
8.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.