Vendor
DSpace versions 8.0 through 8.3, 9.0 through 9.2, and 10.0-rc1 are vulnerable to Remote Code Execution (RCE) via Velocity Templates used for COAR Notify/LDN messages, allowing an attacker with DSpace administrator credentials to execute direct Java code using reflection, a high-impact vulnerability that can be chained with a related path traversal attack (GHSA-9qm4-rh6w-pq5x).