Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:ebuild/dev-java/velocity@2.3
purl pkg:ebuild/dev-java/velocity@2.3
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-9bk7-2rsc-nbd6 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. CVE-2020-13936
GHSA-59j4-wjwp-mw9m
VCID-h1wx-mfju-eker Cross-site scripting (XSS) in Apache Velocity Tools The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks. CVE-2020-13959
GHSA-fh63-4r66-jc7v

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:14:25.999028+00:00 Gentoo Importer Fixing VCID-h1wx-mfju-eker https://security.gentoo.org/glsa/202107-52 38.0.0
2026-04-01T13:14:25.983790+00:00 Gentoo Importer Fixing VCID-9bk7-2rsc-nbd6 https://security.gentoo.org/glsa/202107-52 38.0.0