EUVD-2026-31733
GHSA-69m2-cj73-p6pp
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side template injection (SSTI) in Dromara lamp-cloud versions 5.6.0 through 5.6.2 exposes the Message Template Handler to remote exploitation by authenticated low-privileged users who can inject malicious Groovy expressions via the DefMsgTemplate.content parameter. The vulnerable function GroovyClassLoader.parseClass compiles and executes attacker-controlled input as Groovy code at runtime. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with at least low-level privileges on the lamp-cloud instance sufficient to access the Message Template Handler and modify the DefMsgTemplate.content field - PR:L in the CVSS 4.0 vector confirms a low-privilege authenticated requirement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD/VulDB-assigned CVSS 4.0 score of 2.1 (Low) warrants scrutiny: the vector AV:N/AC:L/AT:N/PR:L/UI:N with VC:L/VI:L/VA:L scores the Vulnerable Component impact as Low across all three pillars. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged account on a lamp-cloud 5.6.x instance navigates to the Message Template management interface and creates or edits a template, injecting a crafted Groovy payload (e.g., a string invoking Runtime.exec()) into the DefMsgTemplate.content field. Upon saving or previewing, the application passes the content to GroovyClassLoader.parseClass, which compiles and executes the payload within the server's JVM process. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the vendor did not respond to disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to
Share
External POC / Exploit Code
Leaving vuln.today