CVE-2025-12107 PUBLISHED

Potential authenticated Server-Side Template Injection (SSTI) vulnerability.

Assigner: WSO2
Reserved: 23.10.2025 Published: 19.02.2026 Updated: 19.02.2026

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.

Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	WSO2
Product	WSO2 Identity Server
Versions	Default: unaffected affected from 5.11.0.130 to 5.11.0.299 (excl.)

Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/#solution

Credits

Robert Raducioiu reporter

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/

Problem Types

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine CWE