GHSA-59j4-wjwp-mw9m · Severity: high · Ecosystem: maven — Sandbox Bypass in Apache Velocity Engine
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Conclusion & alert: CVE-2020-13936 is rated High Risk (74.3/100): CVSS High severity, with high exploitation likelihood (EPSS 22.71%, 97th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +6.31% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 16.40% | 22.71% | +6.31% |
| 2 | 2026-06-10 | 16.76% | 16.40% | -0.36% |
| 3 | 2026-05-28 | — | 16.76% | — |
Full EPSS history (54 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 9.0 | 2.0 | HIGH |
|
8.0 | 10.0 | [email protected] |
GHSA-59j4-wjwp-mw9m · Severity: high · Ecosystem: maven — Sandbox Bypass in Apache Velocity Engine
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2020-13936 not yet assigned priority: Debian including 1 source packages (velocity), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-13936 |
gentoo
|
normal | CVE-2020-13936: 1 GLSA(s) (202107-52), 1 atom(s) (dev-java/velocity); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2020-13936 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2020-13936 |
suse
|
high | CVE-2020-13936 severity important: SUSE including 334 source package names (3.3.2-2.3:snakeyaml-1.31-150200.3.8.1, 5.0.0-beta1.2.122:snakeyaml-1.31-150200.3.8.1, …), 677 product×package rows across 51 product lines (Container containers/apache-pulsar, Container suse/manager/5.0/x86_64/server, … (51 product lines)): Fixed 446, Known Affected 231. | https://www.suse.com/security/cve/CVE-2020-13936/ |
ubuntu
|
medium | CVE-2020-13936 medium priority: Ubuntu including 1 source packages (velocity), 11 status rows across 11 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, trusty, upstream, xenial): ignored 4, released 3, not-affected 2, DNE 1, needs-triage 1. | https://ubuntu.com/security/CVE-2020-13936 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | velocity_engine | < 2.3 | cpe:2.3:a:apache:velocity_engine:*:*:*:*:*:*:*:* |
| apache | wss4j | 2.3.1 | cpe:2.3:a:apache:wss4j:2.3.1:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| oracle | banking_deposits_and_lines_of_credit_servicing | 2.12.0 | cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0:*:*:*:*:*:*:* |
| oracle | banking_enterprise_default_management | >= 2.3.0, <= 2.4.1 | cpe:2.3:a:oracle:banking_enterprise_default_management:*:*:*:*:*:*:*:* |
| oracle | banking_enterprise_default_management | 2.6.2 | cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:* |
| oracle | banking_enterprise_default_management | 2.7.1 | cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:* |
| oracle | banking_enterprise_default_management | 2.10.0 | cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:* |
| oracle | banking_enterprise_default_management | 2.12.0 | cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:* |
| oracle | banking_loans_servicing | 2.12.0 | cpe:2.3:a:oracle:banking_loans_servicing:2.12.0:*:*:*:*:*:*:* |
| oracle | banking_party_management | 2.7.0 | cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:* |
| oracle | banking_platform | >= 2.3.0, <= 2.4.1 | cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* |
| oracle | banking_platform | 2.6.2 | cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* |
| oracle | banking_platform | 2.7.1 | cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_policy | 1.14.0 | cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* |
| oracle | communications_network_integrity | 7.3.6 | cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:* |
| oracle | hospitality_token_proxy_service | 19.2 | cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:* |
| oracle | retail_integration_bus | 19.0.1 | cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:* |
| oracle | retail_order_broker | 16.0 | cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:* |
| oracle | retail_service_backbone | 19.0.1 | cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:* |
| oracle | retail_xstore_office_cloud_service | 16.0.6 | cpe:2.3:a:oracle:retail_xstore_office_cloud_service:16.0.6:*:*:*:*:*:*:* |
| oracle | retail_xstore_office_cloud_service | 17.0.4 | cpe:2.3:a:oracle:retail_xstore_office_cloud_service:17.0.4:*:*:*:*:*:*:* |
| oracle | retail_xstore_office_cloud_service | 18.0.3 | cpe:2.3:a:oracle:retail_xstore_office_cloud_service:18.0.3:*:*:*:*:*:*:* |
| oracle | retail_xstore_office_cloud_service | 19.0.2 | cpe:2.3:a:oracle:retail_xstore_office_cloud_service:19.0.2:*:*:*:*:*:*:* |
| oracle | retail_xstore_office_cloud_service | 20.0.1 | cpe:2.3:a:oracle:retail_xstore_office_cloud_service:20.0.1:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.1.1 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.2.2 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.3.1 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:* |