Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE
Description
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.
It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used.
In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is.
In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache OFBiz 18.12.18 contains a server-side template injection regression in a development build; users on official 18.12.17 are unaffected and should either stay or upgrade to 18.12.18.
Vulnerability
Apache OFBiz versions from 18.12.17 up to, but not including, 18.12.18 contain a regression that introduces improper neutralization of special elements used in a template engine (server-side template injection). The official release 18.12.17 is *not* affected; only builds or artifacts that fall *between* the 18.12.17 and 18.12.18 tags are vulnerable. The project strongly discourages using non-official builds [1].
Exploitation
An attacker must be able to supply untrusted input that reaches a FreeMarker template engine interpolation. In affected builds, the fix for OFBIZ-12594 (which prevented FreeMarker interpolation in fields) was partially reverted or not fully applied, allowing special template syntax to be injected. No authentication is required if the vulnerable code path is exposed to unauthenticated requests, though the exact entry point is not fully detailed in the available references [2].
Impact
Successful exploitation allows an attacker to achieve remote code execution (RCE) by injecting FreeMarker directives and expressions. Because FreeMarker template access can execute arbitrary Java code, the attacker gains control of the OFBiz server process, leading to full compromise of confidentiality, integrity, and availability.
Mitigation
Users should upgrade to Apache OFBiz release 18.12.18, which properly restores the template interpolation fix [1]. Organizations must ensure they only use official released versions; no workaround is available for custom snapshot builds. As of publication, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 18.12.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- ofbiz.apache.org/security.htmlmitrepatch
- lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7mitrevendor-advisory
- issues.apache.org/jira/browse/OFBIZ-12594mitreissue-tracking
- ofbiz.apache.org/download.htmlmitremitigationrelease-notesproduct
News mentions
0No linked articles in our index yet.