CVE-2026-31906

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Apache OFBiz versions before 24.09.06 [1]. The flaw lies in improper neutralization of user input during web page generation; specifically, the Layered-Modal dialog parameters are not properly escaped in HTML attributes, allowing injection of arbitrary JavaScript [1]. Affected versions: all Apache OFBiz releases prior to 24.09.06 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL with a specially crafted parameter for a layered-modal dialog [1]. The victim must be tricked into clicking such a link while being authenticated to an OFBiz instance [1]. No additional privileges or user interaction beyond the click are required; the injected script executes in the context of the victim's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of the authenticated victim [1]. This can lead to session hijacking, data theft, defacement, or other actions that the victim's session can perform within the OFBiz application [1]. The scope is the authenticated user's session, potentially exposing sensitive business data and credentials [1].

Mitigation

Apache OFBiz version 24.09.06, released on or around May 19, 2026, fixes the vulnerability by properly escaping HTML attributes in layered-modal dialog parameters [1]. Users are strongly recommended to upgrade to this version [1]. No workarounds are mentioned in the available references; upgrading is the only known mitigation [1].