14 matches found
CVE-2025-12107
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability.
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and...
CVE-2025-12107
CVE-2025-12107 involves a vulnerable Velocity template engine. It allows a malicious actor with admin privilege to inject and execute arbitrary template code in server-side templates, potentially leading to remote code execution, data manipulation, or unauthorized access. CVSS 3.1 base score is 1...
PT-2026-20796
Name of the Vulnerable Software and Affected Versions versions prior to Feb. 19, 2026 Description The software uses a vulnerable third-party Velocity template engine, allowing a malicious actor with admin privilege to inject and execute arbitrary template syntax within server-side templates...
WSO2 Identity Server 安全漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a security vulnerability that stems from the use of a vulnerable third-party Velocity template engine. This vulnerability could allow attackers with administrative privileges...
CVE-2025-51991
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection SSTI in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is...
CVE-2025-51991
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection SSTI in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is...
CVE-2024-24230
Komm.One CMS 10.4.2.14 has a Server-Side Template Injection SSTI vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.lang.Runtime in conjunction with getRuntime.exec followed by an OS command...
CVE-2024-24230
Komm.One CMS 10.4.2.14 is affected by a Server-Side Template Injection (SSTI) in the Velocity engine. The underling issue allows an attacker to craft a URL that uses java.lang.Runtime and getRuntime().exec to execute arbitrary OS commands on the server. This CVE-2024-24230 entry is corroborated b...
CVE-2024-24230
Komm.One CMS 10.4.2.14 has a Server-Side Template Injection SSTI vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.lang.Runtime in conjunction with getRuntime.exec followed by an OS command...
CVE-2024-24230
Komm.One CMS 10.4.2.14 has a Server-Side Template Injection SSTI vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.lang.Runtime in conjunction with getRuntime.exec followed by an OS command...
Debian DLA-2597-1 : velocity-tools security update
It was discovered that there was a cross-site scripting XSS vulnerability in velocity-tools, a collection of useful tools for the 'Velocity' template engine. The default error page could be exploited to steal session cookies, perform requests in the name of the victim, used for phishing attacks a...