CVE-2025-12107
published 2026-02-19CVE-2025-12107: Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax…
PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.62%
45.1th percentile
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.
Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | identity_server | — | — |
| wso2 | wso2_identity_server | >= 5.11.0.130 < 5.11.0.299 | 5.11.0.299 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2026-02-19
Published