CVE-2025-54466

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBizscrum plugin.

This issue affects Apache OFBiz: before 24.09.02 only when thescrum plugin is used.

Even unauthenticated attackers can exploit this vulnerability.


Users are recommended to upgrade to version 24.09.02, which fixes the issue.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
apacheofbiz
𝑥
< 24.09.02
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://issues.apache.org/jira/browse/OFBIZ-13276
https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915
https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/release-notes-24.09.02.html
https://ofbiz.apache.org/security.html
http://www.openwall.com/lists/oss-security/2025/08/05/1