CVE-2026-29207
Modified Modified - Updated After Analysis
Template Injection in Apache OFBiz

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: Apache Software Foundation

Description
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-29207
EUVD
EUVD-2026-30855
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache ofbiz to 24.09.06 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Neutralization of Special Elements Used in a Template Engine issue found in Apache OFBiz versions before 24.09.06.

It involves the way special elements are handled in the template engine, which can lead to security risks if not properly neutralized.

The issue is fixed in version 24.09.06, which also removes support for "Data Resource" records with dataTemplateTypeId = "FTL" and changes permissions related to the "Ecommerce Customer" security group.

Impact Analysis

Exploitation of this vulnerability could allow attackers to inject or execute malicious content through the template engine, potentially compromising the integrity and security of the application.

This may lead to unauthorized access, data manipulation, or other security breaches within Apache OFBiz installations that have not been updated.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache OFBiz to version 24.09.06, which contains the fix.

In addition, note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported, so you should review and adjust your data resources accordingly.

Also, the "Ecommerce Customer" security group no longer includes content management grants in the updated version. You should remove these permissions from any production site to enhance security.

Compliance Impact

The provided information does not specify how the vulnerability in Apache OFBiz (CVE-2026-29207) affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart