CVE-2026-41883

HIGH NVD

CVSS Score 8.1

Severity HIGH

Published May 08, 2026

Vendor unknown

Description

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.

References

https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8