cbcvebase.
CVE-2025-12107
published 2026-02-19

CVE-2025-12107: Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax…

PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.62%
45.1th percentile
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

Affected

2 ranges
VendorProductVersion rangeFixed in
wso2identity_server
wso2wso2_identity_server>= 5.11.0.130 < 5.11.0.2995.11.0.299
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.