Critical severity9.8GHSA Advisory· Published Jun 30, 2025· Updated Apr 15, 2026
CVE-2025-26074
CVE-2025-26074
Description
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.conductoross:conductor-coreMaven | < 3.21.13 | 3.21.13 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-8gqp-hr9g-pg62ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-26074ghsaADVISORY
- github.com/conductor-oss/conductor/blob/main/core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.javanvdWEB
- github.com/conductor-oss/conductor/commit/e9816501df1e364a3d39d7fe37d6e167c40eaa1bghsaWEB
- medium.com/@mrcnry/cve-2025-26074-remote-code-execution-in-conductor-oss-via-inline-javascript-injection-5ce3cb651cfbnvdWEB
News mentions
0No linked articles in our index yet.