CVE-2025-54466

9.8 CRITICAL
Published: August 15, 2025 Modified: November 04, 2025
View on NVD

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://issues.apache.org/jira/browse/OFBIZ-13276
Source: security@apache.org
Patch
https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915
Source: security@apache.org
Mailing List Third Party Advisory
https://ofbiz.apache.org/download.html
Source: security@apache.org
Product
https://ofbiz.apache.org/release-notes-24.09.02.html
Source: security@apache.org
Release Notes
https://ofbiz.apache.org/security.html
Source: security@apache.org
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/08/05/1
Source: af854a3a-2127-422b-91ae-364da2661108

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
EPSS (Exploit Probability)
0.1%
36th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-94

Affected Vendors

apache

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3