CVE-2026-31379
Cross-Site Scripting and Path Traversal in Apache OFBiz
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | ofbiz | to 24.09.06 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache OFBiz involves Cross-site Scripting (XSS), Path Traversal, and Code Injection, which can lead to arbitrary file writes, stored XSS attacks, and remote code execution. Such security issues can potentially expose sensitive data or allow unauthorized access, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
However, the provided information does not explicitly describe the direct impact of this vulnerability on compliance with specific standards or regulations.
Can you explain this vulnerability to me?
This vulnerability in Apache OFBiz involves multiple security issues including Cross-site Scripting (XSS), Path Traversal, and Code Injection.
Cross-site Scripting (XSS) occurs due to improper neutralization of input during web page generation, allowing attackers to inject malicious scripts.
Path Traversal happens because of improper limitation of a pathname to a restricted directory, potentially allowing attackers to access unauthorized files.
Code Injection arises from improper control of code generation, which may let attackers execute arbitrary code.
These issues affect Apache OFBiz versions before 24.09.06, and upgrading to version 24.09.06 is recommended to fix the problem.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive files, execution of malicious scripts in users' browsers, and execution of arbitrary code on the server.
Such impacts can lead to data breaches, compromise of system integrity, and potential control over the affected system by attackers.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache OFBiz to version 24.09.06, which fixes the vulnerability.