org.xwiki.commons:xwiki-commons-velocity is vulnerable to arbitrary file access. A privileged attacker who has access to an file returning API, is able to perform read or write operations on the filesystem because it is not properly sandboxed against using the Java File API.
github.com/advisories/GHSA-cvx5-m8vg-vxgc
github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8
github.com/xwiki/xwiki-commons/commit/327fa15ba24c2152940f09e459d0fe934756dde4
github.com/xwiki/xwiki-commons/commit/d6dc35da44c32f582d76fa0bbf096c8d0e1313d4
github.com/xwiki/xwiki-commons/pull/127
github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc
jira.xwiki.org/browse/XWIKI-5168