Cyber Resilience

CVE-2025-26865

Low

Published: 10 March 2025

Published
10 March 2025
Modified
23 June 2025
KEV Added
Patch
CVSS Score v3.1 3.5 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0040 61.2th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26865 is a low-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Apache Ofbiz. Its CVSS base score is 3.5 (Low).

Operationally, ranked in the top 38.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not…

more

recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
ofbiz
18.12.17

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References