What is the CVSS score of CVE-2025-11165?

CVE-2025-11165 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Java are affected by CVE-2025-11165?

A critical vulnerability in dotCMS allows authenticated users with scripting privileges to escape sandbox restrictions and execute arbitrary code, potentially leading to complete system compromise.

How to fix or mitigate CVE-2025-11165?

Within 24 hours: Audit and revoke scripting privileges for all non-essential users; implement strict access controls limiting scripting access to trusted administrators only. Within 7 days: Isolate affected dotCMS instances from sensitive systems and production networks if possible; enable detailed logging and monitoring of all Velocity script execution. Within 30 days: Monitor dotCMS security advisories for patch release; engage vendor support to confirm mitigation timeline; evaluate alternative content management solutions if patch timeline is unacceptable.

Java CVE-2025-11165

CRITICAL

SQL Injection (CWE-89)

2026-02-24 security@dotcms.com

Java Tomcat Dotcms

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 09:16 nvd

CRITICAL 9.9

DescriptionNVD

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.

By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.

Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).

AnalysisAI

Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.9 with scope change — affects one of the largest Java CMS platforms.

Technical ContextAI

CWE-89 SQL injection through VTools in dotCMS's Velocity scripting engine. Authenticated users can break out of the Velocity sandbox to execute arbitrary SQL.

RemediationAI

Update dotCMS. Review Velocity template permissions.

CVE-2025-11165 vulnerability details – vuln.today

Back

Java CVE-2025-11165

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code