VYPR
← All advisories
High severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026

OpenMetadata Server-Side Template Injection (SSTI) in FreeMarker email templates that leads to RCE

CVE-2026-22244

Description

OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.open-metadata:platformMaven
< 1.11.41.11.4

Affected products

1

Patches

1
bffe7c458077

Vulnerability fix for 1.11.4 (#24945)

https://github.com/open-metadata/OpenMetadataAjith PrasadDec 22, 2025via ghsa
commit
1 file changed · +2 2
  • pom.xml+2 2 modified
    @@ -84,7 +84,7 @@
     <dropwizard.version>4.0.14</dropwizard.version>
     <dropwizard-jdbi3.version>4.0.14</dropwizard-jdbi3.version>
     <diffMatch.version>1.0</diffMatch.version>
-    <jersey-bom.version>3.1.5</jersey-bom.version>
+    <jersey-bom.version>3.1.10</jersey-bom.version>
     <javax.ws.rs-api.version>2.1.1</javax.ws.rs-api.version>
     <!-- update from here -->
     <jakarta.servlet-api.version>6.0.0</jakarta.servlet-api.version>
@@ -115,7 +115,7 @@
     <openapiswagger.version>2.2.25</openapiswagger.version>
     <httpclient.version>4.5.14</httpclient.version>
     <spring.version>6.2.11</spring.version>
-    <log4j.version>2.21.0</log4j.version>
+    <log4j.version>2.25.3</log4j.version>
     <org.junit.jupiter.version>5.9.3</org.junit.jupiter.version>
     <dropwizard-health.version>4.0.14</dropwizard-health.version>
     <handlebars.version>4.5.0</handlebars.version>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.