CVE-2026-32735
Arbitrary File Unpacking Risk in openapi-to-java-records Parent POM
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openapi-to-java-records-mustache-templates | 5.1.1 | to 5.5.1 (exc) |
| openapi-to-java-records-mustache-templates-parent | 3.5.1 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability involves the openapi-to-java-records-mustache-templates project, specifically its parent POM file used to centralize plugin configurations for multiple unit-test modules. This parent POM uses the maven-dependency-plugin to unpack arbitrary .mustache files from the openapi-to-java-records-mustache-templates artifact. Although the parent POM is not intended for external use, it is published and could be used by anyone.
If the openapi-to-java-records-mustache-templates artifact were compromised and malicious .mustache files were included, these files would be automatically unpacked during a dependency update, potentially leading to security risks. The vulnerability is addressed in version 3.5.1 of the parent POM, and it is strongly recommended not to use the parent POM for external use.
How can this vulnerability impact me? :
If an attacker compromises the openapi-to-java-records-mustache-templates artifact and injects malicious .mustache files, these files would be automatically unpacked on users' systems during dependency updates. This could lead to the execution of malicious code or other unintended behaviors, potentially compromising the security and integrity of the user's development environment.
Since the parent POM is not intended for production use and is meant only for testing and maintainability, using it externally increases the risk of exposure to this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is strongly recommended not to use the parent POM file of the openapi-to-java-records-mustache-templates project for external use.
Additionally, ensure that you are using a version of openapi-to-java-records-mustache-templates-parent that is version 3.5.1 or later, as this release addresses the issue.
Avoid relying on the parent POM for production environments since it is intended only for testing and maintainability purposes.