CVE-2026-31387 - Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation
CVE ID :CVE-2026-31387
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-31387
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-31388 - Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature
CVE ID :CVE-2026-31388
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-31388
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-31906 - Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters
CVE ID :CVE-2026-31906
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-31906
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-31909 - Apache OFBiz: Unauthenticated Shipment Label Image Disclosure
CVE ID :CVE-2026-31909
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-31909
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-31910 - Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access
CVE ID :CVE-2026-31910
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-31910
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-31986 - Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection
CVE ID :CVE-2026-31986
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-31986
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-35086 - Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services
CVE ID :CVE-2026-35086
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-35086
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-41919 - Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN Construction
CVE ID :CVE-2026-41919
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-41919
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45187 - Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs
CVE ID :CVE-2026-45187
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45187
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45434 - Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE
CVE ID :CVE-2026-45434
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45434
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-46586 - Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution
CVE ID :CVE-2026-46586
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-46586
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-46721 - Broken Access Control in extension "Frontend User Registration" (sf_register)
CVE ID :CVE-2026-46721
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-46721
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-46722 - XML External Entity Injection in extension "Faceted Search" (ke_search)
CVE ID :CVE-2026-46722
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-46722
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-46723 - Information Disclosure in extension "Faceted Search" (ke_search)
CVE ID :CVE-2026-46723
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-46723
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-46724 - Path Traversal in extension "Faceted Search" (ke_search)
CVE ID :CVE-2026-46724
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-46724
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-46725 - Remote Code Execution in extension "Content Element Selector" (ceselector)
CVE ID :CVE-2026-46725
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-46725
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8726 - SQL Injection in extension "News system" (news)
CVE ID :CVE-2026-8726
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8726
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8727 - Remote Code Execution in extension "Site Crawler" (crawler)
CVE ID :CVE-2026-8727
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8727
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8827 - SQL Injection in extension "Address List" (tt_address)
CVE ID :CVE-2026-8827
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8827
Published : May 19, 2026, 10:16 a.m. | 1 hour, 8 minutes ago
Description :The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8951 - Spoofing issue in the Toolbar component in Firefox for Android
CVE ID :CVE-2026-8951
Published : May 19, 2026, 2:16 p.m. | 1 hour, 8 minutes ago
Description :Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8951
Published : May 19, 2026, 2:16 p.m. | 1 hour, 8 minutes ago
Description :Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8952 - Privilege escalation in the Application Update component
CVE ID :CVE-2026-8952
Published : May 19, 2026, 2:16 p.m. | 1 hour, 8 minutes ago
Description :Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8952
Published : May 19, 2026, 2:16 p.m. | 1 hour, 8 minutes ago
Description :Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...