Clapbr

**Name of the Vulnerable Software and Affected Versions** OmniFaces versions prior to 1.14.2 OmniFaces versions prior to 2.7.32 OmniFaces versions prior to 3.14.16 OmniFaces versions prior to 4.7.5 OmniFaces versions prior to 5.2.3 **Description** Server-side Expression Language (EL) injection allows for Remote Code Execution (RCE), information disclosure, or denial of service. This occurs in applications using `CDNResourceHandler` with a wildcard CDN mapping (e.g., 'libraryName:*=https://cdn.example.com/*'). An attacker can craft a resource request URL containing an EL expression in the resource name, which is then evaluated on the server. The impact depends on the EL implementation and the objects available in the EL context. **Recommendations** Update to version 1.14.2 Update to version 2.7.32 Update to version 3.14.16 Update to version 4.7.5 Update to version 5.2.3 Replace wildcard CDN mappings with explicit resource-to-URL mappings.