CVE-2025-26796: Apache Oozie Cross-Site Scripting (XSS)

March 22, 2025 (updated March 24, 2025)

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Oozie.

This issue affects Apache Oozie: all versions.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

github.com/advisories/GHSA-fmxw-76xq-cmqq
github.com/apache/oozie
lists.apache.org/thread/fzrmsslnrpl0vpp0jr73fosmfjv4omdq
nvd.nist.gov/vuln/detail/CVE-2025-26796

Code Behaviors & Features

Detect and mitigate CVE-2025-26796 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →