CVE-2026-41883
EL Injection in OmniFaces Leading to RCE
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| omnifaces | omnifaces | to 1.14.2 (exc) |
| omnifaces | omnifaces | to 2.7.32 (exc) |
| omnifaces | omnifaces | to 3.14.16 (exc) |
| omnifaces | omnifaces | to 4.7.5 (exc) |
| omnifaces | omnifaces | to 5.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-917 | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the OmniFaces utility library for Faces, specifically in versions prior to 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3. It is a server-side Expression Language (EL) injection that can lead to Remote Code Execution (RCE). The issue arises when applications use the CDNResourceHandler with a wildcard CDN mapping, allowing an attacker to craft a resource request URL containing an EL expression in the resource name. This expression is then evaluated on the server side, enabling the attacker to execute arbitrary code remotely.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker to remotely execute arbitrary code on the affected server. This can lead to unauthorized access, data theft, data manipulation, service disruption, or complete takeover of the server hosting the vulnerable application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OmniFaces to one of the patched versions: 1.14.2, 2.7.32, 3.14.16, 4.7.5, or 5.2.3.
Additionally, avoid using CDNResourceHandler with wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*) until the upgrade is applied, as this configuration is vulnerable to server-side EL injection leading to remote code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows server-side EL injection leading to Remote Code Execution (RCE), which can result in unauthorized access to sensitive data or system control.
Such unauthorized access or data breaches could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information.
However, the provided information does not explicitly mention the impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for resource request URLs that contain suspicious Expression Language (EL) expressions in the resource name, especially if your application uses CDNResourceHandler with wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*).
You can look for HTTP requests with resource names containing EL syntax patterns such as ${...} or #{...} which may indicate attempts to exploit the vulnerability.
Example commands to detect such attempts in web server logs or network traffic include:
- Using grep to find EL expressions in logs: grep -E '\$\{.*\}|#\{.*\}' access.log
- Using tcpdump to capture HTTP requests and filter for EL patterns (requires further processing): tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E '\$\{.*\}|#\{.*\}'
- Using web application firewall (WAF) rules to detect and block requests containing EL expressions in resource names.
Additionally, verifying the OmniFaces version in use and checking for wildcard CDN mappings in your configuration can help identify if your system is vulnerable.