The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpo…

The Goobi viewer web application contains a critical vulnerability in versions 4.8.0 to before 26.04.1. The REST endpoint POST /api/v1/index/stream accepts arbitrary Solr streaming expressions from unauthenticated clients and forwards them to the backend Solr server without restriction. This allows attackers to read the complete Solr index and potentially modify or delete indexed records in default Solr deployments. The vulnerability enables unauthorized access to digitized material and database manipulation through injection attacks. The issue has been fixed in version 26.04.1.