VYPR

Ofbiz

by Apache

Source repositories

CVEs (76)

  • CVE-2026-31379MedMay 19, 2026
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects…

  • CVE-2016-6800MedAug 30, 2017
    risk 0.40cvss 6.1epss 0.03

    The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the…

  • CVE-2015-3268MedApr 12, 2016
    risk 0.40cvss 6.1epss 0.09

    Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a…

  • CVE-2026-31388MedMay 19, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-31387MedMay 19, 2026
    risk 0.34cvss 5.3epss 0.01

    Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2024-32113KEVMay 8, 2024
    risk 0.23cvss epss 0.99

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.

  • CVE-2024-45195KEVSep 4, 2024
    risk 0.20cvss epss 1.00

    Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

  • CVE-2024-38856KEVAug 5, 2024
    risk 0.16cvss epss 0.99

    Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some…

  • CVE-2023-51467Dec 26, 2023
    risk 0.11cvss epss 0.96

    The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code

  • CVE-2023-49070Dec 5, 2023
    risk 0.11cvss epss 0.95

    Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10

  • CVE-2021-26295Mar 22, 2021
    risk 0.11cvss epss 0.98

    Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

  • CVE-2020-9496Jul 15, 2020
    risk 0.11cvss epss 0.99

    XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

  • CVE-2024-45507Sep 4, 2024
    risk 0.07cvss epss 0.93

    Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

  • CVE-2024-36104Jun 4, 2024
    risk 0.07cvss epss 0.88

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

  • CVE-2023-50968Dec 26, 2023
    risk 0.07cvss epss 0.63

    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version…

  • CVE-2022-47501Apr 14, 2023
    risk 0.07cvss epss 0.10

    Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

  • CVE-2021-30128Apr 27, 2021
    risk 0.07cvss epss 0.81

    Apache OFBiz has unsafe deserialization prior to 17.12.07 version

  • CVE-2021-29200Apr 27, 2021
    risk 0.07cvss epss 0.55

    Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

  • CVE-2020-1943Apr 1, 2020
    risk 0.07cvss epss 0.97

    Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.

  • CVE-2018-8033Dec 13, 2018
    risk 0.07cvss epss 0.26

    In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters:…