CVE-2026-35086
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache OFBiz before 24.09.06 contains a code injection vulnerability in email services allowing authenticated remote code execution via unsafe template expansion.
Vulnerability
Apache OFBiz versions before 24.09.06 are affected by a code injection vulnerability in the email services component. The issue stems from improper control of code generation, specifically unsafe template expansion, which allows an attacker to inject arbitrary code [1].
Exploitation
An attacker must have authenticated access to the Apache OFBiz instance. The vulnerability is triggered by crafting a malicious email template that, when processed by the email services, executes injected code [1]. No additional user interaction is required beyond the attacker's authenticated session.
Impact
Successful exploitation results in remote code execution (RCE) in the context of the OFBiz application server. The attacker can execute arbitrary commands, potentially leading to full compromise of the application and underlying system [1].
Mitigation
The issue is fixed in Apache OFBiz version 24.09.06. Users are strongly recommended to upgrade to this version [1]. No workarounds are mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- lists.apache.org/thread/g0s37yhnh2xwfts400crb2w8s337hgjxnvdMailing ListVendor Advisory
- www.openwall.com/lists/oss-security/2026/05/19/26nvd
News mentions
0No linked articles in our index yet.