Text4Shell Remote Code Execution – (CVE-2022-42889)

Severity: Critical

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability which has CVE-2022-42889 number assigned and mainly affects Apache Software Foundation Commons Text from 1.5 to 1.10.0

  • The vulnerability allows attackers to execute arbitrary code on the target systems. The attacker may also be able to execute arbitrary system commands.
  • There is a publicly available exploit of the vulnerability. It should therefore be addressed as soon as possible.


The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution. Please disable script interpolation.

Invicti Logo

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo