I uncovered a critical Remote Code Execution vulnerability in Komm.One’s Content Management System version Initially, I identified a Server-Side Template Injection (SSTI) flaw in the Velocity template engine, leading to the execution of arbitrary code and affecting several hundred sites. It is noteworthy that all vulnerable instances have now been fixed.

Initial Finding

While examining a website, I discovered that the SSTI payload below is echoed processed in the response:


Payload decoded:
#set ($a=930*885) jpqdp${a}y3t0r


This discovery emphasizes that the computation takes place on the server side, presenting a potential risk of remote code execution 💥.


To determine the template engine in use, I referred to this informative blog: Considering that the successful payload employed #set, I began crafting Velocity payloads.


The RCE payload example provided on the page didn’t work. After numerous attempts and personal experimentation, I arrived at a functional solution with the following working example:


#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($

Final exploit


Which is executing the ls command within the Velocity engine, resulting in the complete command output being displayed in the page response leading to full RCE.



Date Event
2023.11.14 Vulnerability reported to Federal Office for Information Security (BSI) through their Coordinated Vulnerability Disclosure (CVD) process.
2023.11.14 Acknowledgement received from BSI.
2023.11.21 Acknowledgement received from Komm.One CSIRT.
2023.11.22 All CMS Instances fixed after manual checking.