CVE-2025-54466
Apache OFBiz: RCE Vulnerability in scrum plugin
CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
0th
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.
| CWE | CWE-94 |
| Vendor | apache software foundation |
| Product | apache ofbiz |
| Published | Aug 15, 2025 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache ofbiz
Be the first to know when new medium vulnerabilities affecting apache software foundation apache ofbiz are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Apache Software Foundation / Apache OFBiz
0 < 24.09.02
References
ofbiz.apache.org: https://ofbiz.apache.org/download.html ofbiz.apache.org: https://ofbiz.apache.org/security.html ofbiz.apache.org: https://ofbiz.apache.org/release-notes-24.09.02.html issues.apache.org: https://issues.apache.org/jira/browse/OFBIZ-13276 lists.apache.org: https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915 openwall.com: http://www.openwall.com/lists/oss-security/2025/08/05/1