CVE-2026-32735

openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534
https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620
https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1
https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-18 23:17

Updated : 2026-03-19 13:25

NVD link : CVE-2026-32735

Mitre link : CVE-2026-32735

CVE.ORG link : CVE-2026-32735

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2026-32735", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T23:17:29.710", "references": [{"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/534", "source": "security-advisories@github.com"}, {"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/pull/620", "source": "security-advisories@github.com"}, {"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/releases/tag/v3.5.1", "source": "security-advisories@github.com"}, {"url": "https://github.com/Chrimle/openapi-to-java-records-mustache-templates/security/advisories/GHSA-3hrg-hjvj-9v66", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability."}, {"lang": "es", "value": "openapi-to-java-records-mustache-templates permite a los usuarios generar Java Records a partir de especificaciones OpenAPI. A partir de la versi\u00f3n 5.1.1 y antes de la versi\u00f3n 5.5.1, el archivo POM padre de este proyecto ('openapi-to-java-records-mustache-templates-parent'), que se utiliza para centralizar las configuraciones de plugins para m\u00faltiples m\u00f3dulos de pruebas unitarias, utiliza 'maven-dependency-plugin' para desempaquetar archivos '.mustache' arbitrarios del artefacto 'openapi-to-java-records-mustache-templates' (de la misma versi\u00f3n). Aunque este archivo POM padre no est\u00e1 destinado para uso externo, est\u00e1 publicado y podr\u00eda ser utilizado por cualquiera, y no sigue las mejores pr\u00e1cticas de seguridad. El riesgo, es que si 'openapi-to-java-records-mustache-templates' fuera comprometido, y se incluyeran archivos '.mustache' maliciosos en el JAR/artefacto resultante, los usuarios desempaquetar\u00edan estos archivos autom\u00e1ticamente durante una actualizaci\u00f3n de dependencia. Esto se aborda en la versi\u00f3n v3.5.1 de 'openapi-to-java-records-mustache-templates-parent'. Se recomienda encarecidamente NO utilizar el POM padre para uso externo. El m\u00f3dulo 'openapi-to-java-records-mustache-templates' es el centro de este proyecto, y los m\u00f3dulos y configuraciones circundantes no est\u00e1n destinados para uso en producci\u00f3n. Estos solo existen con fines de prueba y mantenibilidad."}], "lastModified": "2026-03-19T13:25:00.570", "sourceIdentifier": "security-advisories@github.com"}