75 matches found
XWiki <= 17.3.0 - Server-Side Template Injection (SSTI)
XWiki = 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic. id: CVE-2025-51991 info: name: XWiki = 17.3.0 -...
Prototype Pollution
Overview velocityjs is a Velocity Template LanguageVTL for JavaScript Affected versions of this package are vulnerable to Prototype Pollution through the processing of set directives in templates. An attacker can modify the global object prototype by supplying specially crafted template content,...
CVE-2025-12107
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability.
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107
CVE-2025-12107 involves a vulnerable Velocity template engine. It allows a malicious actor with admin privilege to inject and execute arbitrary template code in server-side templates, potentially leading to remote code execution, data manipulation, or unauthorized access. CVSS 3.1 base score is 1...
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability.
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
PT-2026-20796
Name of the Vulnerable Software and Affected Versions versions prior to Feb. 19, 2026 Description The software uses a vulnerable third-party Velocity template engine, allowing a malicious actor with admin privilege to inject and execute arbitrary template syntax within server-side templates...
WSO2 Identity Server 安全漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a security vulnerability that stems from the use of a vulnerable third-party Velocity template engine. This vulnerability could allow attackers with administrative privileges...
Exploit for Injection in Apache Solr
Apache-Solr-RCE-CVE-2019-17558 🛡️ Apache Solr Remote Code E...
EUVD-2012-1836
Malware in sbrugna...
EUVD-2022-3315
Malicious code in bioql PyPI...
CVE-2025-51991
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection SSTI in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is...
CVE-2025-51991
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection SSTI in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is...
CVE-2025-51991
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection SSTI in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is...
CVE-2024-24230
Komm.One CMS 10.4.2.14 has a Server-Side Template Injection SSTI vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.lang.Runtime in conjunction with getRuntime.exec followed by an OS command...
OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this...
CVE-2024-24230
Komm.One CMS 10.4.2.14 is affected by a Server-Side Template Injection (SSTI) in the Velocity engine. The underling issue allows an attacker to craft a URL that uses java.lang.Runtime and getRuntime().exec to execute arbitrary OS commands on the server. This CVE-2024-24230 entry is corroborated b...