CVE-2026-41883: OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

April 16, 2026 (updated April 30, 2026)

Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side.

The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.

Applications using CDNResourceHandler without wildcard mappings (i.e. only explicit resource-to-URL mappings) are not affected.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41883 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →