Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.4

dotCMS allows attackers to execute arbitrary system commands

CVE-2025-11165
Summary

Authenticated users with scripting privileges can bypass security restrictions and run malicious system commands on the server, which could lead to data theft or system compromise. This vulnerability affects dotCMS users with scripting access. Patching or updating to the latest version is recommended to prevent exploitation.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
dotcms dotcms <= 24.12.27
dotcms dotcms > 25.01.07 , <= 25.07.10
Original title
A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by S...
Original description
A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.

By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.

Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).
nvd CVSS3.1 9.9
nvd CVSS4.0 9.4
Vulnerability type
CWE-89 SQL Injection
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026