CVE-2026-41883

Name of the Vulnerable Software and Affected Versions OmniFaces versions prior to 1.14.2 OmniFaces versions prior to 2.7.32 OmniFaces versions prior to 3.14.16 OmniFaces versions prior to 4.7.5 OmniFaces versions prior to 5.2.3

Description Server-side Expression Language (EL) injection allows for Remote Code Execution (RCE), information disclosure, or denial of service. This occurs in applications using CDNResourceHandler with a wildcard CDN mapping (e.g., 'libraryName:=https://cdn.example.com/'). An attacker can craft a resource request URL containing an EL expression in the resource name, which is then evaluated on the server. The impact depends on the EL implementation and the objects available in the EL context.

Recommendations Update to version 1.14.2 Update to version 2.7.32 Update to version 3.14.16 Update to version 4.7.5 Update to version 5.2.3 Replace wildcard CDN mappings with explicit resource-to-URL mappings.