How to fix CVE-2025-11165?

Within 24 hours: Audit and revoke scripting privileges for all non-essential users; implement strict access controls limiting scripting access to trusted administrators only. Within 7 days: Isolate affected dotCMS instances from sensitive systems and production networks if possible; enable detailed logging and monitoring of all Velocity script execution. Within 30 days: Monitor dotCMS security advisories for patch release; engage vendor support to confirm mitigation timeline; evaluate alternative content management solutions if patch timeline is unacceptable.

Is Tomcat affected by CVE-2025-11165?

A critical vulnerability in dotCMS allows authenticated users with scripting privileges to escape sandbox restrictions and execute arbitrary code, potentially leading to complete system compromise.

CVE-2025-11165

CRITICAL

2026-02-24 [email protected]

9.9

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 09:16 nvd

CRITICAL 9.9

Description

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections. Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).

Analysis

Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.9 with scope change — affects one of the largest Java CMS platforms.

Technical Context

CWE-89 SQL injection through VTools in dotCMS's Velocity scripting engine. Authenticated users can break out of the Velocity sandbox to execute arbitrary SQL.

Affected Products

['dotCMS (all versions up to fix)']

Remediation

Update dotCMS. Review Velocity template permissions.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +50

POC: 0

CVE-2025-11165 vulnerability details – vuln.today

Back

CVE-2025-11165

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-11165

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code