Apache OFBiz CVEs disclosed May 18

Apache OFBiz’s public security records show a fresh run of disclosed vulnerabilities around mid-May, but the details are more specific than the initial social-media alerts suggested. Apache’s OFBiz security page currently lists recently fixed flaws including CVE-2025-59118, described in Apache’s advisory archive as a remote command execution path via unrestricted file upload, and CVE-2025-61623, a reflected cross-site scripting issue, both fixed in version 24.09.03. Apache’s records also show that OFBiz has continued to publish fixes for older 18.12.x releases, including earlier server-side request forgery and code-injection bugs. The project’s security page lists CVE-2024-47208 and CVE-2024-45507 among the known vulnerabilities, with fixes in 18.12.17 and 18.12.16 respectively. ### Which OFBiz flaws are actually confirmed in public records? Apache’s mailing-list archive describes CVE-2025-59118 as an “Unrestricted Upload of File with Dangerous Type” vulnerability affecting OFBiz versions before 24.09.03, and says users should upgrade to 24.09.03. (ofbiz.apache.org) The archive entry labels it “important” severity and frames it as a critical remote command execution issue via file upload. Apache’s security page separately lists CVE-2025-61623 as affecting releases before 24.09.03 and says it was fixed in that version. (ofbiz.apache.org) The advisory archive describes that issue as reflected cross-site scripting rather than authentication bypass or code injection. ### Where did the “code injection” language come from? CVE.org’s record for CVE-2024-47208 says Apache OFBiz had a server-side request forgery and “Improper Control of Generation of Code” vulnerability affecting versions before 18.12.17. (lists.apache.org) The CVE record says the issue involved URLs allowing remote use of Groovy expressions and recommended upgrading to 18.12.17. Apache’s advisory archive also lists CVE-2024-45507 as another OFBiz issue combining SSRF and code injection, affecting versions before 18.12.16. (ofbiz.apache.org) That means the public OFBiz record does support code-injection language, but in the verified sources it is tied to 2024 CVEs still listed on Apache’s security page, not to every newly surfaced May 2026 item. ### Was there also an authentication problem in OFBiz? Apache’s archive shows OFBiz has disclosed authentication and authorization-related flaws in prior advisories. (cve.org) CVE-2024-38856 is described as an incorrect-authorization issue in versions through 18.12.14, where unauthenticated endpoints could allow execution of screen-rendering code under certain conditions. Apache’s archive also lists CVE-2024-25065 as a path traversal bug that allowed authentication bypass in OFBiz versions before 18.12.12. (lists.apache.org) Those records support the broader pattern of OFBiz flaws spanning both access-control and code-execution classes. ### What do the version numbers tell administrators? Apache’s security page divides the fixes across two maintained lines: 24.09.x and 18.12.x. The page says CVE-2025-59118 and CVE-2025-61623 were fixed in 24.09.03, while older high-risk issues such as CVE-2024-47208 and CVE-2024-45507 were fixed in 18.12.17 and 18.12.16. (lists.apache.org) Apache’s download page shows 24.09.05 as the current 24.09 release and says the project encourages users to report security problems privately before public disclosure. (lists.apache.org) That means organizations still running versions older than 24.09.03 or unpatched 18.12.x builds should check Apache’s advisory list against their deployed branch. ### Where should defenders look next? Apache’s OFBiz security page is the main index for affected releases, fixed versions and commit references. Apache’s mailing-list advisories provide the per-CVE descriptions, including the upload flaw in CVE-2025-59118 and the older SSRF-and-code-injection entries for CVE-2024-47208 and CVE-2024-45507. (ofbiz.apache.org) Apache’s current guidance is straightforward in those advisories: upgrade to the fixed release named for each CVE. For the newest items visible on the project’s public security page, that means at least OFBiz 24.09.03 on the 24.09 branch, while older 18.12.x deployments should verify they are on the patched releases cited in Apache’s records. (ofbiz.apache.org 1) (ofbiz.apache.org 2)