Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
OmniFaces: Attackers can run malicious code on your server
GHSA-vp6r-9m58-5xv8
Summary
If you use OmniFaces with a specific type of CDN setup, a hacker could inject malicious code into your server, potentially allowing them to take control of your server or steal sensitive information. To fix this, update to the latest version of OmniFaces or replace your CDN setup with explicit mappings instead of using wildcards.
What to do
- Update omnifaces org.omnifaces:omnifaces to version 1.14.2.
- Update omnifaces org.omnifaces:omnifaces to version 2.7.32.
- Update omnifaces org.omnifaces:omnifaces to version 3.14.16.
- Update omnifaces org.omnifaces:omnifaces to version 4.7.5.
- Update omnifaces org.omnifaces:omnifaces to version 5.2.3.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Maven | omnifaces | org.omnifaces:omnifaces |
< 1.14.2 >= 2.0-RC1, < 2.7.32 >= 3.0-RC1, < 3.14.16 >= 4.0-M1, < 4.7.5 >= 5.0-M1, < 5.2.3 Fix: upgrade to 1.14.2
|
Original title
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Original description
### Impact
Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request
URL containing an EL expression in the resource name, which is evaluated server-side.
The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.
Applications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected.
### Patches
Fixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch.
### Workarounds
Replace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace:
```
libraryName:*=https://cdn.example.com/*
```
with individual entries:
```
libraryName:resource1.js=https://cdn.example.com/resource1.js,
libraryName:resource2.js=https://cdn.example.com/resource2.js
```
Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request
URL containing an EL expression in the resource name, which is evaluated server-side.
The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.
Applications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected.
### Patches
Fixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch.
### Workarounds
Replace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace:
```
libraryName:*=https://cdn.example.com/*
```
with individual entries:
```
libraryName:resource1.js=https://cdn.example.com/resource1.js,
libraryName:resource2.js=https://cdn.example.com/resource2.js
```
osv CVSS3.1
8.1
Vulnerability type
CWE-917
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026