CVE-2025-11165

CVE-2025-11165 PUBLISHED

Assigner: dotCMS
Reserved: 29.09.2025 Published: 24.02.2026 Updated: 24.02.2026

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.

By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.

Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	dotCMS
Product	dotCMS
Versions	Default: unaffected Version 24.12 is affected Version 25.07 is affected

Vendor

dotCMS

Product

dotCMS

Versions

Default: unaffected

Version 24.12 is affected
Version 25.07 is affected

References

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE

Impacts

CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-122 Privilege Abuse