CVE-2025-12107

Опубликовано: 19 фев. 2026

Источник: nvd

CVSS3: 8.4

CVSS3: 7.2

EPSS Низкий

Описание

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.

Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

Ссылки

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*

EPSS

Процентиль: 45%

0.00618

Низкий

8.4 High

CVSS3

7.2 High

CVSS3

Дефекты

CWE-1336

Связанные уязвимости

GHSA-8v9w-wqxw-hp8g

CVSS3: 10

github

4 месяца назад

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

EPSS

Процентиль: 45%

0.00618

Низкий

8.4 High

CVSS3

7.2 High

CVSS3

Дефекты

CWE-1336