What is the CVSS score of CVE-2025-12107?

CVE-2025-12107 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Identity Server are affected by CVE-2025-12107?

CVE-2025-12107 affects Identity Server deployments up to version 5.11.0, allowing authenticated administrators with malicious intent to execute arbitrary code through template injection.

How to fix or mitigate CVE-2025-12107?

Within 24 hours: Inventory all Identity Server instances and document versions; restrict admin account access to essential personnel only and enable enhanced logging. Within 7 days: Contact vendor for patch timeline and evaluate upgrade feasibility to version 5.11.1 or later; implement network segmentation to isolate Identity Server from critical systems. Within 30 days: Complete migration to patched version or implement approved compensating controls; conduct audit of admin activity logs for suspicious template injection attempts.

Identity Server CVE-2025-12107

HIGH

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-02-19 ed10eef1-636d-4fbe-9993-6890dfa878f8

RCE Identity Server

8.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.4 HIGH

AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 19, 2026 - 10:16 nvd

HIGH 8.4

DescriptionCVE.org

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.

Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

AnalysisAI

Identity Server versions up to 5.11.0 contains a vulnerability that allows attackers to a malicious actor with admin privilege to inject and execute arbitrary template (CVSS 8.4).

Technical ContextAI

affects Identity Server. Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.

RemediationAI

Monitor vendor advisories for a patch.

CVE-2025-12107 vulnerability details – vuln.today

Back

Identity Server CVE-2025-12107

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code