mockserver-core is vulnerable to remote code execution. The use of dynamic creation of expectations using Javascript or Velocity templates and default CORS configuration in MockServer allow an attacker to inject malicious script while running MockServer locally.
github.com/mock-server/mockserver/blob/33ce88631b4e3d09b499caccfe1f7897f9fc8f18/mockserver-core/src/main/java/org/mockserver/templates/engine/velocity/VelocityTemplateEngine.java#L38-L41
github.com/mock-server/mockserver/commit/905f004da91ff4e6acb9b22ad6116a4e8d096359
github.com/mock-server/mockserver/issues/1141
securitylab.github.com/advisories/GHSL-2021-059-mockserver
securitylab.github.com/advisories/GHSL-2021-059-mockserver/
www.oracle.com/security-alerts/cpujan2022.html