CVE-2025-70830

CriticalRCE

Published: 17 February 2026

Published

17 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0003 9.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70830 is a critical-severity Code Injection (CWE-94) vulnerability in Portswigger (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the SSTI vulnerability by identifying, prioritizing, and remediating the specific flaw in Datart's Freemarker template engine handling of SQL script inputs.

SI-10 Information Input Validation good match

prevent

Prevents SSTI exploitation by validating and sanitizing user inputs to the SQL script field to block crafted Freemarker template syntax.

SI-9 Information Input Restrictions partial match

prevent

Restricts input classes to the SQL script field, limiting the ability of authenticated attackers to inject malicious Freemarker syntax.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

SSTI in web app directly enables remote code execution via crafted template input (T1190) and arbitrary command/script execution on server (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3 allows authenticated attackers to execute arbitrary code via injecting crafted Freemarker template syntax into the SQL script field.

Deeper analysisAI

CVE-2025-70830 is a Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3. Published on 2026-02-17, it enables authenticated attackers to execute arbitrary code by injecting crafted Freemarker template syntax into the SQL script field. The issue is classified under CWE-94 (Code Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and broad impact.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network without requiring user interaction. By crafting malicious Freemarker syntax in the SQL script field, they achieve arbitrary code execution on the server, potentially leading to full system compromise with high confidentiality, integrity, and availability impacts, exacerbated by the changed scope (S:C).

Mitigation guidance can be found in related advisories and resources, including the Datart project repository at https://github.com/running-elephant/datart, a proof-of-concept repository at https://github.com/xiaoxiaoranxxx/CVE-2025-70830, and general information on SSTI from PortSwigger at https://portswigger.net/web-security/server-side-template-injection.