CVE-2026-22244

Summary

OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE

Severity

high

EPSS

0.8% (p50)

Also known as

GHSA-5f29-2333-h9c7

Published

2026-01-07

References

• https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7
• https://nvd.nist.gov/vuln/detail/CVE-2026-22244
• https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity