PatchSiren cyber security CVE debrief
CVE-2026-31906 Apache Software Foundation CVE debrief
Apache OFBiz contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. The flaw affects all versions prior to 24.09.06. An attacker can exploit this by crafting a malicious URL that, when visited by an authenticated or unauthenticated user, executes arbitrary JavaScript in the victim's browser context. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low complexity, no privileges required, user interaction required, changed scope, and low impacts to confidentiality and integrity with no availability impact. Apache released version 24.09.06 on May 19, 2026 to remediate this issue. No known exploitation in the wild or ransomware campaign use has been reported.
- Vendor
- Apache Software Foundation
- Product
- Apache OFBiz
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations running Apache OFBiz for ERP, e-commerce, or business process automation; security teams managing web application security programs; developers maintaining OFBiz customizations or plugins
Technical summary
Improper neutralization of input during web page generation (CWE-79) in Apache OFBiz allows reflected XSS. Affected versions: all before 24.09.06. Fixed in 24.09.06. Attack requires user interaction (clicking malicious link). Scope changes due to JavaScript execution in application context.
Defensive priority
medium
Recommended defensive actions
- Upgrade Apache OFBiz to version 24.09.06 or later
- Review web application firewall rules for XSS detection patterns
- Audit application logs for suspicious input containing script tags or event handlers
- Validate that input sanitization libraries are current across all OFBiz deployments
- Test upgrade in non-production environment before production deployment
Evidence notes
CVE published 2026-05-19T10:16:23.777Z; modified 2026-05-19T19:16:48.000Z. Vendor advisory issued via Apache security mailing list. Fix version 24.09.06 confirmed in vendor communication.
Official resources
-
CVE-2026-31906 CVE record
CVE.org
-
CVE-2026-31906 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
2026-05-19