FKIE_CVE-2026-32735

Vulnerability from fkie_nvd - Published: 2026-03-18 23:17 - Updated: 2026-03-19 13:25
Severity ?
2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Summary
openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.
References
security-advisories@github.comhttps://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534
security-advisories@github.comhttps://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620
security-advisories@github.comhttps://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1
security-advisories@github.comhttps://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability."
    },
    {
      "lang": "es",
      "value": "openapi-to-java-records-mustache-templates permite a los usuarios generar Java Records a partir de especificaciones OpenAPI. A partir de la versi\u00f3n 5.1.1 y antes de la versi\u00f3n 5.5.1, el archivo POM padre de este proyecto (\u0027openapi-to-java-records-mustache-templates-parent\u0027), que se utiliza para centralizar las configuraciones de plugins para m\u00faltiples m\u00f3dulos de pruebas unitarias, utiliza \u0027maven-dependency-plugin\u0027 para desempaquetar archivos \u0027.mustache\u0027 arbitrarios del artefacto \u0027openapi-to-java-records-mustache-templates\u0027 (de la misma versi\u00f3n). Aunque este archivo POM padre no est\u00e1 destinado para uso externo, est\u00e1 publicado y podr\u00eda ser utilizado por cualquiera, y no sigue las mejores pr\u00e1cticas de seguridad. El riesgo, es que si \u0027openapi-to-java-records-mustache-templates\u0027 fuera comprometido, y se incluyeran archivos \u0027.mustache\u0027 maliciosos en el JAR/artefacto resultante, los usuarios desempaquetar\u00edan estos archivos autom\u00e1ticamente durante una actualizaci\u00f3n de dependencia. Esto se aborda en la versi\u00f3n v3.5.1 de \u0027openapi-to-java-records-mustache-templates-parent\u0027. Se recomienda encarecidamente NO utilizar el POM padre para uso externo. El m\u00f3dulo \u0027openapi-to-java-records-mustache-templates\u0027 es el centro de este proyecto, y los m\u00f3dulos y configuraciones circundantes no est\u00e1n destinados para uso en producci\u00f3n. Estos solo existen con fines de prueba y mantenibilidad."
    }
  ],
  "id": "CVE-2026-32735",
  "lastModified": "2026-03-19T13:25:00.570",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T23:17:29.710",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.