Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

1 vulnerability by Chrimle

CVE-2026-32735 (GCVE-0-2026-32735)

Vulnerability from cvelistv5 – Published: 2026-03-18 22:13 – Updated: 2026-03-19 15:47
VLAI?
Title
Unpacking Arbitrary Mustache Template Files via `maven-dependency-plugin`
Summary
openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.
Severity ?
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
Chrimle openapi-to-java-records-mustache-templates-parent Affected: >= 3.1.1, < 3.5.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32735",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T15:46:01.849351Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-19T15:47:01.919Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openapi-to-java-records-mustache-templates-parent",
          "vendor": "Chrimle",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.1.1, \u003c 3.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T22:13:39.901Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66"
        },
        {
          "name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534"
        },
        {
          "name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620"
        },
        {
          "name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1"
        }
      ],
      "source": {
        "advisory": "GHSA-3hrg-hjvj-9v66",
        "discovery": "UNKNOWN"
      },
      "title": "Unpacking Arbitrary Mustache Template Files via `maven-dependency-plugin`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32735",
    "datePublished": "2026-03-18T22:13:39.901Z",
    "dateReserved": "2026-03-13T15:02:00.627Z",
    "dateUpdated": "2026-03-19T15:47:01.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}