CVE-2026-32735 (GCVE-0-2026-32735)
Vulnerability from cvelistv5
Published
2026-03-18 22:13
Modified
2026-03-19 15:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Chrimle | openapi-to-java-records-mustache-templates-parent |
Version: >= 3.1.1, < 3.5.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T15:46:01.849351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T15:47:01.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openapi-to-java-records-mustache-templates-parent",
"vendor": "Chrimle",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.1, \u003c 3.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T22:13:39.901Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66"
},
{
"name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534"
},
{
"name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620"
},
{
"name": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1"
}
],
"source": {
"advisory": "GHSA-3hrg-hjvj-9v66",
"discovery": "UNKNOWN"
},
"title": "Unpacking Arbitrary Mustache Template Files via `maven-dependency-plugin`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32735",
"datePublished": "2026-03-18T22:13:39.901Z",
"dateReserved": "2026-03-13T15:02:00.627Z",
"dateUpdated": "2026-03-19T15:47:01.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32735\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-19T15:46:01.849351Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-19T15:46:28.757Z\"}}], \"cna\": {\"title\": \"Unpacking Arbitrary Mustache Template Files via `maven-dependency-plugin`\", \"source\": {\"advisory\": \"GHSA-3hrg-hjvj-9v66\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Chrimle\", \"product\": \"openapi-to-java-records-mustache-templates-parent\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.1.1, \u003c 3.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66\", \"name\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534\", \"name\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620\", \"name\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1\", \"name\": \"https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-18T22:13:39.901Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32735\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T15:47:01.919Z\", \"dateReserved\": \"2026-03-13T15:02:00.627Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-18T22:13:39.901Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…