CVE-2025-46295

Critical

Published: 16 December 2025

Published

16 December 2025

Modified

23 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0049 65.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially…

achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-46295 by requiring timely patching of vulnerable Apache Commons Text versions prior to 1.10.0 or upgrading FileMaker Server to 22.0.4.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by validating and sanitizing untrusted input passed to the text-substitution API, blocking malicious interpolators that enable RCE.

SA-22 Unsupported System Components good match

prevent

Prohibits use of unsupported or vulnerable system components like Apache Commons Text prior to 1.10.0, eliminating the vulnerable library from deployments.

Security SummaryAI

CVE-2025-46295 affects Apache Commons Text versions prior to 1.10.0, where interpolation features in the text-substitution API can be abused by passing untrusted input. These interpolators enable actions such as executing commands or accessing external resources, potentially leading to remote code execution (classified under CWE-94). The vulnerability has been fully addressed in FileMaker Server 22.0.4, indicating that FileMaker Server deployments relying on vulnerable versions of the Apache Commons Text library are impacted.

A remote, unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting malicious input for the text-substitution API, the attacker can trigger interpolators to execute arbitrary commands or access external resources on the target system, achieving full remote code execution.

The Claris support advisory at https://support.claris.com/s/answerview?anum=000049059&language=en_US confirms that the issue is fully resolved in FileMaker Server 22.0.4, recommending affected users upgrade to this version for mitigation.

Details

CWE(s): CWE-94

Affected Products

claris

filemaker server

≤ 22.0.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing application (FileMaker Server) via remote unauthenticated access (T1190) and abuse of text interpolation/template substitution features for RCE (T1221).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://support.claris.com/s/answerview?anum=000049059&language=en_US
Vendor Advisory · product-security@apple.com