CVE-2025-13426

CVE Database · CVE-2025-13426

CVE-2025-13426

· N/ADeferred

CVSS v3.1

N/A

CVSS v4.0

8.7

EPSS

0.39%

Published

Dec 5, 2025

Modified

Apr 14, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

Weaknesses (CWE)

CWE-913

References (1)

https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025

KEV Catalog EPSS Scores Vendors All CVEs