{"id":"CVE-2025-54466","details":"Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.\n\nThis issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.\n\nEven unauthenticated attackers can exploit this vulnerability.\n\n\nUsers are recommended to upgrade to version 24.09.02, which fixes the issue.","modified":"2026-04-12T17:14:03.998234Z","published":"2025-08-15T15:15:32.360Z","references":[{"type":"WEB","url":"https://ofbiz.apache.org/download.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/08/05/1"},{"type":"ADVISORY","url":"https://ofbiz.apache.org/release-notes-24.09.02.html"},{"type":"ADVISORY","url":"https://ofbiz.apache.org/security.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915"},{"type":"FIX","url":"https://issues.apache.org/jira/browse/OFBIZ-13276"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/ofbiz-framework","events":[{"introduced":"0"},{"fixed":"a0fd48e6f8e9f7195805d6c86281b815fb2de892"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"24.09.02"}]}}],"versions":["release24.09.01"],"database_specific":{"vanir_signatures":[{"id":"CVE-2025-54466-082710e8","signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"function_hash":"115239135110448458133838827146088054427","length":4499},"source":"https://github.com/apache/ofbiz-framework/commit/a0fd48e6f8e9f7195805d6c86281b815fb2de892","target":{"function":"render","file":"framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/fo/ScreenFopViewHandler.java"}},{"id":"CVE-2025-54466-b8194ec6","signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["249146079106409486859352739705293824872","314012154644596642122118081014475321011","242468568323965799300793993567488478400","251410504749570407709719120966721489550"]},"source":"https://github.com/apache/ofbiz-framework/commit/a0fd48e6f8e9f7195805d6c86281b815fb2de892","target":{"file":"framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/fo/ScreenFopViewHandler.java"}}],"vanir_signatures_modified":"2026-04-12T17:14:03Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54466.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}