Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in a...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-9498

Source VulDB

Published May 25, 2026 at 20:00

Affected Product

Vendor Dromara

Product lamp-cloud

Version 5.6.0

Affected Versions Dromara lamp-cloud 5.6.0
Dromara lamp-cloud 5.6.1
Dromara lamp-cloud 5.6.2

CWE Classification

CWE-1336 CWE-791

References

{
    "lastseen": "",
    "description": "A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-05-25T20:00:18.474Z",
    "modified": "2026-05-25T20:00:18.474Z",
    "type": "cve",
    "title": "Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in a template engine",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/365481\nhttps://vuldb.com/vuln/365481/cti\nhttps://vuldb.com/submit/814103\nhttps://github.com/Ku4D3/bug_story/blob/main/report_02.md",
    "id": "CVE-2026-9498",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1336",
        "CWE-791"
    ],
    "cvelist": null,
    "sourceData": "Dromara lamp-cloud 5.6.0\nDromara lamp-cloud 5.6.1\nDromara lamp-cloud 5.6.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "lamp-cloud",
    "version": "5.6.0",
    "vendor": "Dromara",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in a template engine_CVE-2026-9498