CVE-2026-41883
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Description
### Impact Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service. Applications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected. ### Patches Fixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch. ### Workarounds Replace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace: ``` libraryName:*=https://cdn.example.com/* ``` with individual entries: ``` libraryName:resource1.js=https://cdn.example.com/resource1.js, libraryName:resource2.js=https://cdn.example.com/resource2.js ```
How to fix CVE-2026-41883
To remediate CVE-2026-41883, upgrade the affected package to a fixed version below.
- —upgrade to 1.14.2 or later
Is CVE-2026-41883 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.14.2