CVE 10 CRITICAL

Potential authenticated Server-Side Template Injection (SSTI) vulnerability._CVE-2025-12107

February 19, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.

Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

AI Analysis

A Server-Side Template Injection (SSTI) vulnerability in WSO2 Identity Server allows a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

Basic Information

ID CVE-2025-12107

Source WSO2

Published Feb 19, 2026 at 10:04

Affected Product

Vendor WSO2

Product WSO2 Identity Server

Version 5.11.0.130

Affected Versions WSO2 WSO2 Identity Server 5.11.0.130

CWE Classification

CWE-1336

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor WSO2

Product WSO2 Identity Server

Version 5.11.0.130

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/

{
    "lastseen": "",
    "description": "Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. \n\n Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.",
    "published": "2026-02-19T10:04:47.542Z",
    "modified": "2026-02-19T10:04:47.542Z",
    "type": "cve",
    "title": "Potential authenticated Server-Side Template Injection (SSTI) vulnerability.",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4517/",
    "id": "CVE-2025-12107",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "WSO2 WSO2 Identity Server 5.11.0.130",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 Identity Server",
    "version": "5.11.0.130",
    "vendor": "WSO2",
    "ai_description": "A Server-Side Template Injection (SSTI) vulnerability in WSO2 Identity Server allows a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.",
    "ai_severity": "Critical",
    "ai_vendor": "WSO2",
    "ai_product": "WSO2 Identity Server",
    "ai_version": "5.11.0.130",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply