CVE-2025-26865 — LOW (3.5) — White Hats Nepal

Vulnerability Description

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.

CVSS Score

3.5

LOW

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Ofbiz	18.12.17

Related Weaknesses (CWE)

CWE-1336

References

https://issues.apache.org/jira/browse/OFBIZ-12594Issue TrackingPatch
https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7Mailing ListVendor Advisory
https://ofbiz.apache.org/download.htmlProduct
https://ofbiz.apache.org/security.htmlVendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/07/1Mailing ListThird Party Advisory

FAQ

What is CVE-2025-26865?

CVE-2025-26865 is a vulnerability with a CVSS score of 3.5 (LOW). Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12...

How severe is CVE-2025-26865?

CVE-2025-26865 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-26865?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Ofbiz.