← voltar
CVE-2026-45083

Goobi viewer: Unauthenticated Solr Streaming Expression Proxy

CVSS 9.8 CRITICALEPSS 0.4%CWE-306
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 9.8EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
27 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H