PatchSiren cyber security CVE debrief
CVE-2026-9498 Dromara CVE debrief
A remote code execution vulnerability exists in Dromara lamp-cloud versions up to 5.6.2, specifically within the Message Template Handler component. The vulnerability stems from improper neutralization of special elements in the GroovyClassLoader.parseClass function when processing the DefMsgTemplate.content argument. An attacker with low privileges can exploit this template injection weakness remotely without user interaction. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges for exploitation (though the base score reflects low privileges), and low impacts across confidentiality, integrity, and availability. The exploit has been publicly disclosed and is confirmed to be functional. The vendor was contacted prior to disclosure but did not respond. The vulnerability is classified under CWE-791 (Incomplete Filtering of Special Elements) and CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine).
- Vendor
- Dromara
- Product
- lamp-cloud
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running Dromara lamp-cloud versions up to 5.6.2 with Message Template Handler functionality enabled; security teams monitoring for template injection vulnerabilities in Java/Groovy applications; developers maintaining lamp-cloud forks or dependent projects.
Technical summary
The vulnerability resides in how lamp-cloud's Message Template Handler processes user-supplied content through GroovyClassLoader.parseClass. Insufficient sanitization of the DefMsgTemplate.content parameter allows injection of malicious Groovy code into templates. When parsed and executed, this can lead to arbitrary code execution within the application context. The attack requires network access and low privileges, with no user interaction needed. The CVSS 4.0 metrics (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/E:P) reflect network accessibility, low complexity, and proven exploit availability with limited impacts due to privilege constraints.
Defensive priority
LOW
Recommended defensive actions
- Review and restrict access to Message Template Handler functionality in Dromara lamp-cloud deployments
- Implement input validation and sanitization for DefMsgTemplate.content parameter before processing through GroovyClassLoader.parseClass
- Consider disabling or sandboxing Groovy template execution if not business-critical
- Monitor for unauthorized template modifications or suspicious Groovy code execution patterns
- Apply vendor patches when available; given vendor non-response, consider alternative mitigations or fork maintenance
- Review application logs for indicators of template injection attempts targeting message template endpoints
Evidence notes
Vulnerability identified in Dromara lamp-cloud ≤5.6.2. Affected function: GroovyClassLoader.parseClass in Message Template Handler. Attack vector: remote manipulation of DefMsgTemplate.content parameter. CVSS 4.0 score: 2.1 (LOW). Weaknesses: CWE-791, CWE-1336. Exploit status: publicly disclosed and functional.
Official resources
Public disclosure occurred on 2026-05-25 with exploit availability confirmed. Vendor non-response to pre-disclosure contact.