Unrated severityNVD Advisory· Published Aug 15, 2025· Updated Feb 26, 2026
Apache OFBiz: RCE Vulnerability in scrum plugin
CVE-2025-54466
Description
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.
Even unauthenticated attackers can exploit this vulnerability.
Users are recommended to upgrade to version 24.09.02, which fixes the issue.
Affected products
2- Apache Software Foundation/Apache OFBizv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915mitrevendor-advisory
- issues.apache.org/jira/browse/OFBIZ-13276mitreissue-tracking
- ofbiz.apache.org/download.htmlmitremitigation
- ofbiz.apache.org/release-notes-24.09.02.htmlmitrerelease-notes
- ofbiz.apache.org/security.htmlmitrerelated
News mentions
0No linked articles in our index yet.