CVE-2026-31379 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache OFBiz versions prior to 24.09.06, particularly those with externally accessible deployments or multi-tenant environments where scope change impacts could amplify risk across trust boundaries.

Technical summary

Apache OFBiz before 24.09.06 is affected by three vulnerability types: improper neutralization of input during web page generation (XSS/CWE-79), improper limitation of pathname to restricted directory (Path Traversal/CWE-22), and improper control of code generation (Code Injection/CWE-94). The CVSS 3.1 score of 6.1 (Medium) reflects network accessibility with required user interaction and scope change. Successful exploitation could allow attackers to execute scripts in user browsers, access files outside intended directories, or inject and execute arbitrary code. The vendor has released version 24.09.06 containing fixes.

Defensive priority

medium

Recommended defensive actions

• Upgrade Apache OFBiz to version 24.09.06 or later
• Review application logs for suspicious input patterns consistent with XSS, path traversal, or code injection attempts
• Validate that web application firewalls or input filtering rules address the identified CWE classes
• Monitor Apache OFBiz security mailing lists for additional guidance

Evidence notes

CWE-79 (XSS), CWE-22 (Path Traversal), and CWE-94 (Code Injection) are explicitly listed as weakness enumerations. CPE criteria confirms affected versions are all versions before 24.09.06. CVSS vector and score derived from NVD source data.

Official resources