Code Injection Vulnerability in Apache OFBiz Scrum Plugin
CVE-2025-54466

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-54466?

A code injection vulnerability in the Apache OFBiz scrum plugin can lead to remote code execution (RCE) by unauthenticated attackers. This issue affects versions of Apache OFBiz prior to 24.09.02, making it critical for users of the scrum plugin to update to the latest version to protect their systems against potential exploitation.

Affected Version(s)

Apache OFBiz 0 < 24.09.02

References

https://ofbiz.apache.org/download.html

mitigation

https://ofbiz.apache.org/security.html

https://ofbiz.apache.org/release-notes-24.09.02.html

release-notes

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Jul 23, 2025

Credit

Teeramet Eakwilai <[email protected]>

Thanasin Luangpipat

Jarukit Auikritskul