CVE-2025-12107

HIGH

Velocity Template Engine - Code Injection

Title source: llm

Description

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

References (1)

[Various Sources] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/

Scores

CVSS v3 8.4

EPSS 0.0058

EPSS Percentile 69.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-1336

Status published

Products (1)

wso2/identity_server 5.11.0

Published Feb 19, 2026

Tracked Since Feb 19, 2026