CVE-2025-11165
published 2026-02-24CVE-2025-11165: A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class…
PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.30%
21.9th percentile
A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.
By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.
Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotcms | dotcms | < 24.12.27 | 24.12.27 |
| dotcms | dotcms | — | — |
| dotcms | dotcms | — | — |
| dotcms | dotcms | >= 25.01.07 < 25.07.10 | 25.07.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for access to java.lang.Runtime or arbitrary system command execution originating from the dotCMS/Tomcat process context, which may indicate successful sandbox escape via Velocity VTools ↗
- →Alert on authenticated users with scripting privileges invoking SecureUberspectorImpl bypass patterns within dotCMS Velocity scripting engine (VTools) ↗
- ·The vulnerability requires the attacker to be an authenticated user with scripting privileges in dotCMS; unauthenticated exploitation is not indicated by available sources ↗
- ·No public exploit is confirmed as of the published date; EPSS exploitation probability is low (0.1%) despite the critical CVSS score of 9.4 ↗
- ·Fixes were made available for both Linux and Windows platforms; patch dates are February 24, 2026 and March 3, 2026 depending on the release track ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2026-02-24
Published