Vulnerability Description
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ofbiz | < 24.09.02 |
Related Weaknesses (CWE)
References
- https://issues.apache.org/jira/browse/OFBIZ-13276Patch
- https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915Mailing ListThird Party Advisory
- https://ofbiz.apache.org/download.htmlProduct
- https://ofbiz.apache.org/release-notes-24.09.02.htmlRelease Notes
- https://ofbiz.apache.org/security.htmlVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/08/05/1
FAQ
What is CVE-2025-54466?
CVE-2025-54466 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum pl...
How severe is CVE-2025-54466?
CVE-2025-54466 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-54466?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Ofbiz.