Every CVE whose affected-product data names Apache Ofbiz, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (76)
CVE-2013-2250 — CVSS 10.0 (critical): Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to…
CVE-2012-3506 — CVSS 10.0 (critical): Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors.
CVE-2022-25371 — CVSS 9.8 (critical): Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By…
CVE-2022-29063 — CVSS 9.8 (critical): The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05…
CVE-2012-1622 — CVSS 9.8 (critical): Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2023-49070 — CVSS 9.8 (critical): Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before…
CVE-2026-45434 — CVSS 9.8 (critical): Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects…
CVE-2023-51467 — CVSS 9.8 (critical): The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
CVE-2018-17200 — CVSS 9.8 (critical): The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the…
CVE-2019-0189 — CVSS 9.8 (critical): The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService"…
CVE-2024-47208 — CVSS 9.8 (critical): Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue…
CVE-2019-10074 — CVSS 9.8 (critical): An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a…
CVE-2024-45507 — CVSS 9.8 (critical): Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue…
CVE-2021-26295 — CVSS 9.8 (critical): Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over…
CVE-2021-29200 — CVSS 9.8 (critical): Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
CVE-2021-37608 — CVSS 9.8 (critical): Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue…
CVE-2025-54466 — CVSS 9.8 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue…
CVE-2016-2170 — CVSS 9.8 (critical): Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted…
CVE-2017-15714 — CVSS 9.8 (critical): The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing…
CVE-2026-31986 — CVSS 9.1 (critical): Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended…
CVE-2024-36104 — CVSS 9.1 (critical): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache…
CVE-2024-25065 — CVSS 9.1 (critical): Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes…
CVE-2026-41919 — CVSS 9.1 (critical): Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects…
CVE-2016-4462 — CVSS 8.8 (high): By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template…
CVE-2024-48962 — CVSS 8.8 (high): Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements…
CVE-2026-47342 — CVSS 8.8 (high): A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue…
CVE-2026-46586 — CVSS 8.8 (high): Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval…
CVE-2026-50223 — CVSS 8.8 (high): Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with…
CVE-2026-31909 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06…
CVE-2006-6588 — CVSS 7.5 (high): The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2)…
CVE-2011-3600 — CVSS 7.5 (high): The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE…
CVE-2018-8033 — CVSS 7.5 (high): In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP…
CVE-2022-25813 — CVSS 7.5 (high): In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious…
CVE-2022-29158 — CVSS 7.5 (high): Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by…
CVE-2022-47501 — CVSS 7.5 (high): Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication…
CVE-2023-50968 — CVSS 7.5 (high): Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without…
CVE-2026-31910 — CVSS 7.5 (high): Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended…
CVE-2026-29226 — CVSS 7.3 (high): Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before…
CVE-2025-59118 — CVSS 7.3 (high): Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are…
CVE-2006-6589 — CVSS 6.8 (medium): Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Opentaps…
CVE-2006-6587 — CVSS 6.8 (medium): Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Project…
CVE-2026-29207 — CVSS 6.5 (medium): Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz…
CVE-2026-31378 — CVSS 6.5 (medium): Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade…
CVE-2021-25958 — CVSS 6.5 (medium): In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out…
CVE-2026-31380 — CVSS 6.5 (medium): Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in…
CVE-2026-45187 — CVSS 6.5 (medium): Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to…
CVE-2025-61623 — CVSS 6.5 (medium): Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to…
CVE-2026-35086 — CVSS 6.5 (medium): Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz…
CVE-2026-29220 — CVSS 6.5 (medium): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache…
CVE-2025-30676 — CVSS 6.1 (medium): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache…
CVE-2020-9496 — CVSS 6.1 (medium): XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
CVE-2020-1943 — CVSS 6.1 (medium): Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
CVE-2019-10073 — CVSS 6.1 (medium): The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks…
CVE-2016-6800 — CVSS 6.1 (medium): The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are…
CVE-2026-31906 — CVSS 6.1 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects…
CVE-2015-3268 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before…
CVE-2026-31379 — CVSS 6.1 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted…
CVE-2022-25370 — CVSS 5.4 (medium): Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz…
CVE-2026-31388 — CVSS 5.3 (medium): Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users…
CVE-2026-31387 — CVSS 5.3 (medium): Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade…
CVE-2019-12426 — CVSS 5.3 (medium): an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to…
CVE-2020-13923 — CVSS 5.3 (medium): IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04
CVE-2023-46819 — CVSS 5.3 (medium): Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before…
CVE-2024-23946 — CVSS 5.3 (medium): Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
CVE-2013-2137 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka…
CVE-2012-1621 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote…
CVE-2014-0232 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before…
CVE-2010-0432 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in…
CVE-2025-26865 — CVSS 3.5 (low): Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from…
CVE-2013-0177 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz)…