CVE-2026-41883

Summary

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:=https://cdn.example.com/). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.

Affected Software

VendorProductVersion RangeStatus
omnifacesomnifaces< 1.14.2affected
omnifacesomnifaces>= 2.0-RC1, < 2.7.32affected
omnifacesomnifaces>= 3.0-RC1, < 3.14.16affected
omnifacesomnifaces>= 4.0-M1, < 4.7.5affected
omnifacesomnifaces>= 5.0-M1, < 5.2.3affected

Weaknesses

  • CWE-917: CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References