EUVD-2021-1329

🗓️ 07 Oct 2025 00:30:54Reported by EUVDType

Apache MyFaces Core versions use weak CSRF tokens, risking user security against unwanted actions.

Reporter	Title	Published	Views	Family All 54
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2021-26296)	22 Apr 202108:28	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296)	13 Apr 202104:40	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM WebSphere Appilcation Server and WebSphere Application Server Liberty affects IBM Engineering ELM products on IBM Jazz technology.	1 Jun 202115:41	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise	17 Oct 202400:55	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Apache MyFaces affects WebSphere Application Server in IBM Cloud (CVE-2021-26296)	9 Apr 202118:27	–	ibm
IBM Security Bulletins	Security Bulletin: Novalink is impacted by Apache MyFaces affects WebSphere Liberty, middle vulnerability in WebSphere Application Server Liberty (CVE-2021-26296)	30 Jul 202105:03	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in WebSphere Application Server is vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296)	13 Apr 202104:47	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Business Service Manager (CVE-2021-26296)	15 Jun 202116:02	–	ibm
IBM Security Bulletins	Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability (CVE-2021-26296)	25 Jun 202120:12	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2021-26296)	26 Apr 202114:11	–	ibm

[
  {
    "enisaIdVendor": [
      {
        "id": "0ca87f82-b9e0-34b2-bc99-7dfa9efe810e",
        "vendor": {
          "name": "Apache Software Foundation"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "49c17f1b-f708-30d3-aec1-85acffebe38b",
        "product": {
          "name": "Apache MyFaces Core"
        },
        "product_version": "Apache MyFaces Core 2.3-next <2.3-next-M5"
      },
      {
        "id": "81b3aa95-b2f4-30c3-ad92-5c5eced70de1",
        "product": {
          "name": "Apache MyFaces Core"
        },
        "product_version": "Apache MyFaces Core 2.3 <2.3.8"
      },
      {
        "id": "a76d20d9-9cc3-3da0-ae8b-444920da4b34",
        "product": {
          "name": "Apache MyFaces Core"
        },
        "product_version": "Apache MyFaces Core 2.2 <2.2.14"
      },
      {
        "id": "c9bf7b8f-efc1-39d7-b51a-264bbdb91d36",
        "product": {
          "name": "Apache MyFaces Core"
        },
        "product_version": "Apache MyFaces Core 3.0 <3.0.0"
      }
    ]
  }
]

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2021-26296
github	www.github.com/apache/myfaces/commit/cc6e1cc7b9aa17e52452f7f2657b3af9c421b2b2
issues	www.issues.apache.org/jira/browse/MYFACES-4373
lists	www.lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E
security	www.security.netapp.com/advisory/ntap-20210528-0007
packetstormsecurity	www.packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html
seclists	www.seclists.org/fulldisclosure/2021/Feb/66
packetstormsecurity	www.packetstormsecurity.com/files/cve/CVE-2021-26296
security	www.security.netapp.com/advisory/ntap-20210528-0007/
github	www.github.com/advisories/GHSA-293c-r3p4-g63r

07 Oct 2025 00:30Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.17.5

CVSS 25.1

EPSS0.00321