CVE-2026-29207
Template Injection in Apache OFBiz
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | ofbiz | to 24.09.06 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in Apache OFBiz (CVE-2026-29207) affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is an Improper Neutralization of Special Elements Used in a Template Engine issue found in Apache OFBiz versions before 24.09.06.
It involves the way special elements are handled in the template engine, which can lead to security risks if not properly neutralized.
The issue is fixed in version 24.09.06, which also removes support for "Data Resource" records with dataTemplateTypeId = "FTL" and changes permissions related to the "Ecommerce Customer" security group.
How can this vulnerability impact me? :
Exploitation of this vulnerability could allow attackers to inject or execute malicious content through the template engine, potentially compromising the integrity and security of the application.
This may lead to unauthorized access, data manipulation, or other security breaches within Apache OFBiz installations that have not been updated.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache OFBiz to version 24.09.06, which contains the fix.
In addition, note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported, so you should review and adjust your data resources accordingly.
Also, the "Ecommerce Customer" security group no longer includes content management grants in the updated version. You should remove these permissions from any production site to enhance security.