CVE-2026-45083

Published: May 27, 2026

Modified: May 28, 2026

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.

Vendor	Product	Versions
intranda	goobi-viewer-core	affected `>= 4.8.0, < 26.04.1`

Weaknesses (CWE)

CWE-306

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499

x_refsource_CONFIRM

https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd

x_refsource_MISC

https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-45083

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References