Skip to content
/ CVE-2025-26865 Public

CVE-2025-26865: FreeMarker Server-Side Template Injection via the "ecommerce" plugin in Apache OfBiz

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mbadanoiu/CVE-2025-26865

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2025-26865: FreeMarker Server-Side Template Injection via the "ecommerce" plugin in Apache OfBiz

Due to a regression between 18.12.17 and 18.12.18 the fix for finding CVE-2022-25813: FreeMarker Server-Side Template Injection in Apache OfBiz was no longer enforced which reopened the possibility of launching FreeMarker Server-Side Template Injection (SSTI) attacks by leveraging the "ecommerce" plugin.

If the attack is successful, the SSTI may result in Remote Code Execution (RCE).

Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found here.

Requirements:

This vulnerability requires:

  • Registering a new user or valid user credentials
  • User interaction of a administrative user

Proof Of Concept:

As this attack is a exact re-creation of CVE-2022-25813, more details and the exploitation process can be found in this PDF.

Additional Resources:

Original SSTI finding in Apache OfBiz: CVE-2022-25813: FreeMarker Server-Side Template Injection in Apache OfBiz

About

CVE-2025-26865: FreeMarker Server-Side Template Injection via the "ecommerce" plugin in Apache OfBiz

Topics

cve user-interaction remote-code-execution server-side-template-injection cves 0-day cve-2022-25813 cve-2025-26865

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository