Vulnerabilities

Report: Ultimate Guide: CVE-2026-41883 - OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

2026-05-08 0 views admin
Report: Ultimate Guide: CVE-2026-41883 - OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

CVE ID :CVE-2026-41883 Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago Description :OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

Severity
HIGH
Published
May 8, 2026
Impact: Remote Code Execution

🏷️ Tags

reportultimateguide41883omnifacesinjectioncraftedresourcewildcardmapping

More from Vulnerabilities

Report: CVE-2026-42160 - Data Space Portal: Incorrect Authorization and Client-Side Enforcement of Server

Report: CVE-2026-42160 - Data Space Portal: Incorrect Authorization and Client-Side Enforcement of Server

2026-05-08 0
Report: CVE-2026-42190 - RedwoodSDK: Same-site CSRF in in server actions - Analysis

Report: CVE-2026-42190 - RedwoodSDK: Same-site CSRF in in server actions - Analysis

2026-05-08 0
Report: CVE-2026-42189 - Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth - Guide

Report: CVE-2026-42189 - Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth - Guide

2026-05-08 0
Report: CVE-2026-42181 - Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated

Report: CVE-2026-42181 - Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated

2026-05-08 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views