High severity8.1GHSA Advisory· Published May 8, 2026· Updated May 13, 2026
CVE-2026-41883
CVE-2026-41883
Description
OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.omnifaces:omnifacesMaven | < 1.14.2 | 1.14.2 |
org.omnifaces:omnifacesMaven | >= 2.0-RC1, < 2.7.32 | 2.7.32 |
org.omnifaces:omnifacesMaven | >= 3.0-RC1, < 3.14.16 | 3.14.16 |
org.omnifaces:omnifacesMaven | >= 4.0-M1, < 4.7.5 | 4.7.5 |
org.omnifaces:omnifacesMaven | >= 5.0-M1, < 5.2.3 | 5.2.3 |
Affected products
2Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.