VYPR
High severityNVD Advisory· Published Mar 10, 2021· Updated Feb 13, 2025

Velocity Sandbox Bypass

CVE-2020-13936

Description

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.velocity:velocity-engine-parentMaven
< 2.32.3
org.apache.velocity:velocityMaven
<= 1.7

Affected products

156

Patches

Vulnerability mechanics

References

43

News mentions

0

No linked articles in our index yet.