PT-2026-39423 · Codelib · Fess
R1Ckyz
·
Published
2026-05-09
·
Updated
2026-05-10
·
CVE-2026-8211
CVSS v2.0
5.8
Medium
| Vector | AV:N/AC:L/Au:M/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
codelibs Fess versions prior to 15.5.2
Description
Remote code injection is possible via the JSP File Handler component. The
update() function within the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java fails to properly handle the content argument, allowing a remote attacker to inject malicious code.Recommendations
Update to a version newer than 15.5.1.
As a temporary workaround, restrict access to the
update() function in the AdminDesignAction.java file to minimize the risk of exploitation.Exploit
Fix
Code Injection
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Fess