VYPR
← All advisories
Medium severity6.1NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-31379

CVE-2026-31379

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal and file upload bypass in Apache OFBiz Catalog Manager allow stored XSS and RCE; fixed in 24.09.06.

Vulnerability

The vulnerability exists in Apache OFBiz's Catalog Manager component, involving improper limitation of a pathname to a restricted directory (path traversal) and improper control of generation of code (code injection) [1]. An attacker can bypass file upload validation to write arbitrary files to the server, leading to stored cross-site scripting or remote code execution. Affected versions are Apache OFBiz before 24.09.06 [1].

Exploitation

To exploit, an attacker must be authenticated with access to the Catalog Manager. They can upload a malicious file (e.g., a JSP) with a crafted path, traversing out of the intended upload directory to overwrite critical files [1]. No user interaction is required beyond the upload action.

Impact

Successful exploitation allows arbitrary file write, potentially leading to remote code execution, stored XSS, and information disclosure. The attacker gains the privileges of the OFBiz application [1].

Mitigation

Upgrade to Apache OFBiz version 24.09.06, released on 2026-05-19 [1]. No workaround is available; users should apply the patch immediately.

References
  1. security - CVE-2026-31379: Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.