CVE-2026-41883
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
描述
### Impact Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service. Applications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected. ### Patches Fixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch. ### Workarounds Replace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace: ``` libraryName:*=https://cdn.example.com/* ``` with individual entries: ``` libraryName:resource1.js=https://cdn.example.com/resource1.js, libraryName:resource2.js=https://cdn.example.com/resource2.js ```
如何修補 CVE-2026-41883
要修補 CVE-2026-41883,請將受影響套件升級到下列已修補版本。
- —升級至 1.14.2 或更新版本
CVE-2026-41883 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.14.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 |
|---|