CVE-2025-70830

CRITICAL

Datart 1.0.0-rc.3 - Code Injection

Title source: llm

Description

A Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3 allows authenticated attackers to execute arbitrary code via injecting crafted Freemarker template syntax into the SQL script field.

Exploits (1)

nomisec WORKING POC 1 stars

by xiaoxiaoranxxx · poc

https://github.com/xiaoxiaoranxxx/CVE-2025-70830

View Code ZIP pw:eip

References (3)

[Various Sources] https://github.com/running-elephant/datart

[Various Sources] https://github.com/xiaoxiaoranxxx/CVE-2025-70830

[Various Sources] https://portswigger.net/web-security/server-side-template-injection

Scores

CVSS v3 9.9

EPSS 0.0003

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-94

Status draft

Timeline

Published Feb 17, 2026

Tracked Since Feb 18, 2026