CVE-2023-49964

HIGH

Hyland Alfresco Content Services < 7.2.0 - Server-Side Template Injection via folder.get.html.ftl

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-49964. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-49964, a Server-Side Template Injection (SSTI) vulnerability in Hyland Alfresco Community Edition <=7.2.0. The vulnerability allows attackers to achieve Remote Code Execution (RCE) by exploiting FreeMarker template injection in the folder.get.html.ftl file.

Description

An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.

Exploits (1)

nomisec WRITEUP 7 stars
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2023-49964

This repository provides a detailed technical analysis of CVE-2023-49964, a Server-Side Template Injection (SSTI) vulnerability in Hyland Alfresco Community Edition <=7.2.0. The vulnerability allows attackers to achieve Remote Code Execution (RCE) by exploiting FreeMarker template injection in the folder.get.html.ftl file.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Hyland Alfresco Community Edition <=7.2.0
Auth required
Prerequisites: Valid user credentials
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.3468
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-74
Status published
Products (1)
hyland/alfresco_content_services < 7.2.0
Published Dec 11, 2023
Tracked Since Feb 18, 2026