{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dspace-9.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DSpace (8.0)","DSpace (8.1)","DSpace (8.2)","DSpace (8.3)","DSpace (9.0)","DSpace (9.1)","DSpace (9.2)","DSpace (10.0-rc1)"],"_cs_severities":["high"],"_cs_tags":["rce","web-application","vulnerability","dspace"],"_cs_type":"advisory","_cs_vendors":["DSpace"],"content_html":"\u003cp\u003eRemote Code Execution (RCE) is possible via Velocity Templates used by DSpace for COAR Notify/LDN messages. This vulnerability, tracked as CVE-2026-49832, impacts DSpace versions 8.0 through 8.3, 9.0 through 9.2, and the 10.0-rc1 development release. An attacker must first obtain DSpace administrator credentials to exploit this flaw. When chained with a prior path traversal vulnerability (GHSA-9qm4-rh6w-pq5x), this allows for direct Java execution using reflection within Velocity templates. The vulnerability was discovered and reported by Pablo Picurelli Ortiz and affects critical components of the DSpace repository system, enabling adversaries with administrative access to compromise the integrity and confidentiality of the entire platform by executing arbitrary code on the server. The fix is included in DSpace 8.4, 9.3, and 10.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains valid DSpace administrator credentials through various means (e.g., phishing, credential stuffing, brute-force).\u003c/li\u003e\n\u003cli\u003eAttacker logs into the DSpace administrative interface using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eLeveraging the LDN (COAR Notify) feature, the attacker exploits the identified path traversal vulnerability (GHSA-9qm4-rh6w-pq5x) to upload or modify a Velocity template file on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious Java code (using reflection) into the compromised Velocity template, specifically crafted to achieve server-side execution.\u003c/li\u003e\n\u003cli\u003eThe DSpace application, when processing an LDN message or rendering a page that utilizes the manipulated template, invokes the Velocity template engine.\u003c/li\u003e\n\u003cli\u003eThe Velocity engine processes the compromised template, leading to the execution of the embedded malicious Java code on the DSpace server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves Remote Code Execution (RCE) on the underlying DSpace server, enabling arbitrary command execution, data exfiltration, or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a very high impact when exploited, allowing for Remote Code Execution on the DSpace server. Successful exploitation requires DSpace administrator credentials and can be chained with a prior LDN Path Traversal Attack (GHSA-9qm4-rh6w-pq5x). If exploited, attackers can execute arbitrary Java code using reflection from Velocity templates, leading to full compromise of the DSpace instance, including data manipulation, exfiltration, or complete system takeover. The vulnerability affects DSpace versions 8.0 through 8.3, 9.0 through 9.2, and 10.0-rc1. Disabling the LDN feature serves as an effective workaround if immediate patching is not possible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DSpace instances to version 8.4, 9.3, or 10.0 immediately to remediate CVE-2026-49832.\u003c/li\u003e\n\u003cli\u003eDisable the LDN feature by setting \u003ccode\u003eldn.enabled=false\u003c/code\u003e in \u003ccode\u003edspace.cfg\u003c/code\u003e or \u003ccode\u003elocal.cfg\u003c/code\u003e if it is not critical for your DSpace repository's operation.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, apply the manual patch files available for DSpace 8.x (Pull request #12549) or DSpace 9.x (Pull request #12548) as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T20:32:37Z","date_published":"2026-07-08T20:32:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dspace-rce-velocity-templates/","summary":"DSpace versions 8.0 through 8.3, 9.0 through 9.2, and 10.0-rc1 are vulnerable to Remote Code Execution (RCE) via Velocity Templates used for COAR Notify/LDN messages, allowing an attacker with DSpace administrator credentials to execute direct Java code using reflection, a high-impact vulnerability that can be chained with a related path traversal attack (GHSA-9qm4-rh6w-pq5x).","title":"DSpace RCE via Velocity Templates (CVE-2026-49832)","url":"https://feed.craftedsignal.io/briefs/2026-07-dspace-rce-velocity-templates/"}],"language":"en","title":"CraftedSignal Threat Feed - DSpace (9.2)","version":"https://jsonfeed.org/version/1.1"}