Volerion logoVolerion
Volerion logoVolerion

WSO2 Identity Server Server-Side Template Injection Vulnerability Allowing Arbitrary Code Execution

Vulnerability

A server-side template injection vulnerability has been identified in WSO2 Identity Server version 5.11.0. This issue arises from the use of a vulnerable third-party Velocity template engine, which allows a malicious actor with admin privileges to inject and execute arbitrary template syntax within server-side templates. Successful exploitation could lead to remote code execution, unauthorized access to sensitive information, or manipulation of data on the server.

Impact

Exploitation of this vulnerability could allow for arbitrary code execution on the server, with potential access to sensitive information or the ability to manipulate data.

Remediation

WSO2 Identity Server users should update to version 5.11.0 Update Level 433. Community users can migrate to the latest unaffected version. Support subscription holders can use WSO2 Updates to apply the fix.

Added: Feb 19, 2026, 7:13 PM
Updated: Feb 19, 2026, 7:13 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
10.0
exploitability
5.0
remediation
7.7
relevance
3.1
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.