Cyber Resilience

CVE-2025-70830

CriticalRCE

Published: 17 February 2026

Published
17 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0100 58.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70830 is a critical-severity Code Injection (CWE-94) vulnerability in Portswigger (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70830 is a Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3. Published on 2026-02-17, it enables authenticated attackers to execute arbitrary code by injecting crafted Freemarker template syntax into the SQL script field. The issue is classified under CWE-94 (Code Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and broad impact.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network without requiring user interaction. By crafting malicious Freemarker syntax in the SQL script field, they achieve arbitrary code execution on the server, potentially leading to full system compromise with high confidentiality, integrity, and availability impacts, exacerbated by the changed scope (S:C).

Mitigation guidance can be found in related advisories and resources, including the Datart project repository at https://github.com/running-elephant/datart, a proof-of-concept repository at https://github.com/xiaoxiaoranxxx/CVE-2025-70830, and general information on SSTI from PortSwigger at https://portswigger.net/web-security/server-side-template-injection.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3 allows authenticated attackers to execute arbitrary code via injecting crafted Freemarker template syntax into the SQL script field.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

SSTI in web app directly enables remote code execution via crafted template input (T1190) and arbitrary command/script execution on server (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26045Shared CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-67979Shared CWE-94
CVE-2025-6000Shared CWE-94
CVE-2024-54756Shared CWE-94
CVE-2026-42898Shared CWE-94
CVE-2025-71281Shared CWE-94
CVE-2024-55022Shared CWE-94
CVE-2025-22906Shared CWE-94
CVE-2026-38992Shared CWE-94

Affected Assets

Portswigger
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSTI vulnerability by identifying, prioritizing, and remediating the specific flaw in Datart's Freemarker template engine handling of SQL script inputs.

prevent

Prevents SSTI exploitation by validating and sanitizing user inputs to the SQL script field to block crafted Freemarker template syntax.

prevent

Restricts input classes to the SQL script field, limiting the ability of authenticated attackers to inject malicious Freemarker syntax.

References