CVE-2026-22244

Опубликовано: 08 янв. 2026

Источник: nvd

CVSS3: 7.2

EPSS Низкий

Описание

OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.

Ссылки

https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3
Patch
https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7
Exploit
Vendor Advisory
https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:open-metadata:openmetadata:*:*:*:*:*:*:*:*

Версия до 1.11.4 (исключая)

EPSS

Процентиль: 58%

0.00372

Низкий

7.2 High

CVSS3

Дефекты

CWE-1336

CWE-94

Связанные уязвимости

GHSA-5f29-2333-h9c7

CVSS3: 9.1

github

около 1 месяца назад

OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE