CVE-2025-54466

EUVD-2025-25026
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.

This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.

Even unauthenticated attackers can exploit this vulnerability.


Users are recommended to upgrade to version 24.09.02, which fixes the issue.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
Affected Products (NVD)
VendorProductVersion
apacheofbiz
𝑥
< 24.09.02
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://issues.apache.org/jira/browse/OFBIZ-13276
https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915
https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/release-notes-24.09.02.html
https://ofbiz.apache.org/security.html
http://www.openwall.com/lists/oss-security/2025/08/05/1