{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/velocity/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xwiki","rce","velocity","scripting","CVE-2026-33229"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eXWiki versions before 17.4.8 and 17.10.1 are susceptible to remote code execution (RCE) due to an improperly protected Velocity scripting API. This vulnerability, identified as CVE-2026-33229, allows users with existing script rights to bypass the intended sandboxing mechanisms of the Velocity scripting API. By exploiting this flaw, attackers can execute arbitrary code, including potentially malicious Python scripts, on the XWiki instance. This vulnerability allows an attacker to gain complete control over the XWiki instance, compromising the confidentiality, integrity, and availability of the system and its data. The issue has been addressed in XWiki versions 17.4.8 and 17.10.1 by enforcing a requirement for programming rights to access the vulnerable API.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains script rights within the XWiki instance, either through compromised credentials or misconfigured permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request leveraging the unprotected Velocity scripting API.\u003c/li\u003e\n\u003cli\u003eThis request bypasses the intended sandboxing of the Velocity scripting engine.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary code, such as a Python script, into the Velocity template.\u003c/li\u003e\n\u003cli\u003eThe Velocity engine executes the injected code on the XWiki server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution privileges on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to install a web shell.\u003c/li\u003e\n\u003cli\u003eUsing the web shell, the attacker gains complete control over the XWiki instance, enabling data theft, modification, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers complete control over the XWiki instance. This can lead to the theft of sensitive data stored within the XWiki, unauthorized modification of existing data, or a complete denial of service. While the exact number of potential victims is unknown, any XWiki instance running a vulnerable version is at risk, particularly those where script rights are broadly assigned. This vulnerability has the potential to severely impact organizations relying on XWiki for critical business functions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade XWiki instances to version 17.4.8 or 17.10.1 or later to patch CVE-2026-33229.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious XWiki Velocity Scripting API Usage\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict script rights assignments within XWiki to minimize the attack surface, as mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T15:00:17Z","date_published":"2026-04-08T15:00:17Z","id":"/briefs/2026-04-xwiki-rce/","summary":"XWiki is vulnerable to remote code execution due to an improperly protected scripting API, allowing users with script rights to bypass the Velocity scripting API sandbox and execute arbitrary code, leading to full instance compromise.","title":"XWiki Remote Code Execution via Unprotected Velocity Scripting API","url":"https://feed.craftedsignal.io/briefs/2026-04-xwiki-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-api (\u003e= 2.7.0, \u003c 2.7.9)","openmrs-api (\u003e= 2.8.0, \u003c 2.8.6)"],"_cs_severities":["critical"],"_cs_tags":["ssti","rce","velocity","openmrs"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS is vulnerable to a critical security flaw stemming from the unsafe use of Apache Velocity templates. Specifically, the \u003ccode\u003eConceptReferenceRangeUtility.evaluateCriteria()\u003c/code\u003e method processes database-stored criteria strings as Velocity templates without any sandbox restrictions. This allows for unrestricted Java reflection through template expressions. A user possessing the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege can inject a malicious Velocity template expression into a concept\u0026rsquo;s reference range criteria field. This payload will then execute automatically whenever a user or an API call validates an observation against the compromised concept. This issue impacts OpenMRS versions 2.7.0 through 2.7.8, and 2.8.0 through 2.8.5. Successful exploitation allows an attacker to escalate privileges from content management to arbitrary code execution as the Tomcat application server process, with the potential for exfiltration of protected health information (PHI). The vulnerability is identified as CVE-2026-41258.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an OpenMRS account with the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the concept dictionary management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a commonly used concept, such as one for a standard clinical measurement.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the concept and injects a malicious Velocity template expression into the concept\u0026rsquo;s reference range criteria field. The expression leverages Java reflection to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe malicious template is saved and stored in the \u003ccode\u003econcept_reference_range\u003c/code\u003e database table.\u003c/li\u003e\n\u003cli\u003eA user or API call validates an observation against the affected concept, triggering the execution of the stored Velocity template.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the Tomcat application server process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing a web shell for persistent access or exfiltrating patient data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for persistent remote code execution on the OpenMRS server. The injected payload persists within the \u003ccode\u003econcept_reference_range\u003c/code\u003e database table (VARCHAR 65535). A single compromised concept, especially one used for common clinical measurements, can lead to the execution of the malicious payload on every subsequent observation validation across all users, API clients, and integrations. This affects all facilities using the compromised OpenMRS instance. The attacker can escalate privileges from content dictionary management to arbitrary code execution and potentially exfiltrate PHI data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMRS to version 2.8.6 or 2.7.9 or later to patch CVE-2026-41258.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege to only authorized users, as mentioned in the advisory\u0026rsquo;s workarounds.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule detecting Velocity template injection attempts to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement database monitoring to detect unauthorized modifications to the \u003ccode\u003econcept_reference_range\u003c/code\u003e table to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openmrs-ssti/","summary":"OpenMRS is vulnerable to a Stored Velocity SSTI to RCE via ConceptReferenceRange, where the `ConceptReferenceRangeUtility.evaluateCriteria()` method evaluates database-stored criteria strings as Apache Velocity templates without a sandbox, allowing unrestricted Java reflection through template expressions, leading to persistent remote code execution and privilege escalation when a user with the `Manage Concepts` privilege stores a malicious Velocity template expression in a concept's reference range criteria field.","title":"OpenMRS Stored Velocity SSTI to RCE via ConceptReferenceRange","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed — Velocity","version":"https://jsonfeed.org/version/1.1"}