CVE-2026-24343
Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions
In short
Apache HertzBeat contains a vulnerability where attackers can inject malicious XPath expressions to consume excessive server resources, potentially causing the application to become unresponsive or crash. This affects versions 1.7.1 through 1.8.0, and upgrading is strongly recommended.
Technical detail
XPath injection vulnerability in Apache HertzBeat (1.7.1 to <1.8.0) allows unauthenticated attackers to craft specially designed XPath expressions that trigger uncontrolled resource consumption, leading to denial of service. The vulnerability stems from improper neutralization of user-supplied input in XPath queries, enabling attackers to manipulate query execution and exhaust system resources.
Summary generated and translated by AI from the official description.
Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache HertzBeatWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →