VYPR
← All advisories
High severity8.1GHSA Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-41883

CVE-2026-41883

Description

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A server-side EL injection in OmniFaces' CDNResourceHandler allows RCE when a wildcard CDN mapping is used.

Vulnerability

Overview

CVE-2026-41883 is a server-side Expression Language (EL) injection vulnerability in the OmniFaces library for Java Faces. The flaw resides in the CDNResourceHandler component when configured with a wildcard CDN mapping, such as libraryName:*=https://cdn.example.com/* [1][3]. An attacker can craft a resource request URL containing an EL expression in the resource name, which is then evaluated by the server [3].

Attack

Vector

The vulnerability is exploitable by sending a specially crafted HTTP request to a web application using the affected configuration. No authentication is required, as the request is processed during resource handling [1]. The EL injection occurs because the resource name from the URL is not sanitized before being used in EL evaluation [3].

Impact

Successful exploitation results in server-side EL injection, which can lead to remote code execution (RCE) depending on the EL implementation and available objects in the context [3]. At a minimum, an attacker can achieve information disclosure and denial of service denial [3]. Applications using only explicit (non-wildcard) mappings are not affected [1][3].

Mitigation

Mitigation

Mitigation

The issue has been patched in OmniFaces versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3 [1][1][3]. As a workaround, administrators can replace wildcard CDN mappings with explicit resource-to-URL mappings to prevent injection [3].

References
  1. NVD - CVE-2026-41883
  2. EL injection via crafted resource name in wildcard CDN mapping

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.omnifaces:omnifacesMaven
< 1.14.21.14.2
org.omnifaces:omnifacesMaven
>= 2.0-RC1, < 2.7.322.7.32
org.omnifaces:omnifacesMaven
>= 3.0-RC1, < 3.14.163.14.16
org.omnifaces:omnifacesMaven
>= 4.0-M1, < 4.7.54.7.5
org.omnifaces:omnifacesMaven
>= 5.0-M1, < 5.2.35.2.3

Affected products

2
  • Omnifaces/OmnifacesGHSA2 versions
    >= 5.0-M1, < 5.2.2+ 1 more
    • (no CPE)range: >= 5.0-M1, < 5.2.2
    • (no CPE)range: <1.14.2 || >=2.0.0 <2.7.32 || >=3.0.0 <3.14.16 || >=4.0.0 <4.7.5 || >=5.0.0 <5.2.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.