Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in a template engine
Description
A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored template injection in Dromara lamp-cloud <=5.6.2 allows remote code execution via GroovyClassLoader parsing unsanitized message templates.
Vulnerability
A stored injection vulnerability exists in Dromara lamp-cloud up to version 5.6.2 within the message template handler. The DefMsgTemplate.content field is processed by GroovyClassLoader.parseClass() and subsequently executed via InvokerHelper.createScript().run() without proper sanitization. Additionally, the DefMsgTemplate.script and DefInterface.script fields can contain arbitrary Groovy code evaluated in the same manner, and the content field is also subject to FreeMarker Server-Side Template Injection (SSTI). No validation is performed on the script or content fields [1].
Exploitation
An attacker with network access and administrative privileges can POST malicious Groovy code to the /defMsgTemplate or /defInterface endpoints. The code is stored in the database and later evaluated when messages are processed, resulting in remote code execution. The public exploit details are available [1].
Impact
Successful exploitation results in remote code execution with the privileges of the application server. This can lead to full compromise of the server, including data disclosure, modification, and denial of service.
Mitigation
As of the publication date, the vendor has not responded and no patch is available. Users should restrict network access to administrative endpoints, monitor for suspicious activity, and consider disabling the message template feature if possible [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=5.6.2+ 1 more
- (no CPE)range: <=5.6.2
- (no CPE)range: <=5.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/Ku4D3/bug_story/blob/main/report_02.mdmitreexploit
- vuldb.com/submit/814103mitrethird-party-advisory
- vuldb.com/vuln/365481mitrevdb-entrytechnical-description
- vuldb.com/vuln/365481/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.