diff --git a/CVE-2020-13959.patch b/CVE-2020-13959.patch
new file mode 100644
index 0000000..2d1fbd8
--- /dev/null
+++ b/CVE-2020-13959.patch
@@ -0,0 +1,25 @@
+From e141828a4eb03e4b0224535eed12b5c463a24152 Mon Sep 17 00:00:00 2001
+From: Jackson Henry <54763344+JHHAX@users.noreply.github.com>
+Date: Thu, 8 Oct 2020 14:18:25 +1100
+Subject: [PATCH] Fixed Reflected XSS Vuln
+
+Velocity Tools has an automatically generated error page, which echoes back the file name unescaped. This commit sanitizes user input and fixes the XSS Vulnerability!
+
+Updated XSS Vuln fix (used StringEscapeUtils)
+---
+ .../org/apache/velocity/tools/view/VelocityViewServlet.java     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java b/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
+index aff9b71d7..325ab0bba 100644
+--- a/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
++++ b/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
+@@ -460,7 +460,7 @@ protected void error(HttpServletRequest request,
+             html.append("<head><title>Error</title></head>\n");
+             html.append("<body>\n");
+             html.append("<h2>VelocityView : Error processing a template for path '");
+-            html.append(path);
++            html.append(StringEscapeUtils.escapeHtml(path));
+             html.append("'</h2>\n");
+ 
+             Throwable cause = e;
diff --git a/velocity-tools.spec b/velocity-tools.spec
index dac0dbf..15cf00e 100644
--- a/velocity-tools.spec
+++ b/velocity-tools.spec
@@ -1,6 +1,6 @@
 Name:                velocity-tools
 Version:             2.0
-Release:             2
+Release:             3
 Summary:             Collection of useful tools for Velocity template engine
 License:             ASL 2.0
 Url:                 http://velocity.apache.org/tools/releases/2.0/
@@ -9,6 +9,7 @@ Patch0:              %{name}-%{version}-junit4.patch
 Patch1:              %{name}-%{version}-dont_copy_test_lib.patch
 Patch2:              %{name}-%{version}-servlet.patch
 Patch3:              %{name}-%{version}-port-to-dom4j-2.0.patch
+Patch4:              CVE-2020-13959.patch
 BuildRequires:       maven-local mvn(commons-beanutils:commons-beanutils)
 BuildRequires:       mvn(commons-chain:commons-chain) mvn(commons-collections:commons-collections)
 BuildRequires:       mvn(commons-digester:commons-digester) mvn(commons-lang:commons-lang)
@@ -49,6 +50,7 @@ find . -name "*.class" -delete
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 sed -i 's/\r//' LICENSE NOTICE WHY_THREE_JARS.txt
 %pom_remove_dep javax.servlet:servlet-api
 %pom_remove_dep sslext:sslext
@@ -78,6 +80,9 @@ sed -i 's/\r//' LICENSE NOTICE WHY_THREE_JARS.txt
 %license LICENSE NOTICE
 
 %changelog
+* Sat Mar 20 2021 zhanghua <zhanghua40@huawei.com> - 2.0-3
+- fix CVE-2020-13959
+
 * Tue Jan 26 2021 Ge Wang <wangge20@huawei.com> - 2.0-2
 - remove dependence to sslext