CVE-2025-11165
Published: 24 February 2026
Summary
CVE-2025-11165 is a critical-severity SQL Injection (CWE-89) vulnerability in Dotcms Dotcms. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the sandbox escape vulnerability by requiring timely application of vendor patches and updates for the bypass in dotCMS Velocity scripting engine.
Prevents exploitation by restricting scripting privileges, required for authenticated users to modify Velocity runtime configuration and bypass SecureUberspectorImpl restrictions.
Enforces a tamper-resistant reference monitor to mediate access to Java classes and packages in the Velocity Uberspector, directly countering the dynamic bypass of introspector restrictions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in public-facing dotCMS Velocity engine directly enables remote RCE via arbitrary command execution (java.lang.Runtime) after bypassing restrictions.
NVD Description
A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a…
more
malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections. Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).
Deeper analysisAI
CVE-2025-11165 is a sandbox escape vulnerability in dotCMS’s Velocity scripting engine, specifically the VTools component. It enables authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. The issue, published on 2026-02-24, is classified under CWE-89 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.
Attackers require low privileges as an authenticated user with scripting access, exploitable over the network with low complexity and no user interaction. By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, they can clear protections such as introspector.restrict.classes and introspector.restrict.packages. This allows access to arbitrary Java classes, including java.lang.Runtime, culminating in arbitrary system command execution under the privileges of the application process, such as the dotCMS or Tomcat user.
Mitigation details are available in the dotCMS advisory at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-74.
Details
- CWE(s)