VYPR
High severity8.1GHSA Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-41883

CVE-2026-41883

Description

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.omnifaces:omnifacesMaven
< 1.14.21.14.2
org.omnifaces:omnifacesMaven
>= 2.0-RC1, < 2.7.322.7.32
org.omnifaces:omnifacesMaven
>= 3.0-RC1, < 3.14.163.14.16
org.omnifaces:omnifacesMaven
>= 4.0-M1, < 4.7.54.7.5
org.omnifaces:omnifacesMaven
>= 5.0-M1, < 5.2.35.2.3

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.