CVE-2025-12107

High CVSS: 8.4

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.

Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

Vendor

Wso2

Product

Identity Server

CWE

CWE-1336

Yayın Tarihi

2026-02-19 10:16:09

Güncelleme

2026-03-06 16:16:08

Source Identifier

ed10eef1-636d-4fbe-9993-6890dfa878f8

KEV Date Added

Kategoriler

CWE-1336 Identity Server HIGH Wso2 2026

Referanslar

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/

Benzer Kayıtlar

High

CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk…

Critical

CVE-2025-13590

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the d…

Critical

CVE-2025-9312

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST AP…

High

CVE-2025-6670

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method…

Medium

CVE-2025-10853

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to i…

Medium

CVE-2025-5770

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products du…