CVE-2026-41883 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: May 8, 2026
OmniFaces - Server-Side Template Injection
Published: May 8, 2026Updated: May 8, 2026Remote Exploitable
Overview
OmniFaces < 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3 contains a server-side template injection caused by evaluation of EL expressions in resource names with wildcard CDN mapping, letting attackers execute remote code, exploit requires use of CDNResourceHandler with wildcard mapping.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Attackers can execute arbitrary code remotely, potentially leading to full server compromise.
Mitigation
Upgrade to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, or 5.2.3 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41883
- Severity
- High
- CVSS Score
- 8.1
- Type
- template_injection
- Status
- new
CWE
- CWE-917
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H