Remote Code Execution Vulnerability Affecting Apache Commons Text

Security update addresses a critical severity vulnerability in the Apache Commons Text library that could lead to remote code execution in Claris FileMaker Server

Threat ID:: CC-4730
Threat Severity:: Medium
Published:: 18 December 2025 1:19 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses a critical severity vulnerability in the Apache Commons Text library that could lead to remote code execution in Claris FileMaker Server

Affected platforms

The following platforms are known to be affected:

Apache Commons Text

All versions prior to 1.10.0

Claris FileMaker Server

All versions prior to 22.0.4

Threat details

Introduction

Claris has released a security update for FileMaker Server to address a critical severity vulnerability in the Apache Commons Text library used by the software. An attacker could exploit this vulnerability to achieve remote code execution (RCE).

CVE-2025-46295 - Improper control of generation of code ('code injection') - CVSSv3 score: 9.8

Remediation advice

Affected organisations are encouraged to review Claris' Security Advisory and apply the relevant update as soon as possible.

Definitive source of threat updates

https://support.claris.com/s/answerview?anum=000049059&language=en_US

CVE Vulnerabilities

Status Published

CVE-2025-46295

Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4.

Last edited: 18 December 2025 1:19 pm