It is possible to reference certain fields/methods, which eventually allow the execution of arbitrary methods.
For example, by utilizing the 'class' field or 'getClass()' method of any variable, it is possible to get the variable's class object. This can be extended to get arbitrary class objects and execute arbitrary methods.
For example, the following statement results in the execution of the 'xterm':
As a standalone:
This issue has already been made public in the past by James Kettle in August 2015 (see http://blog.portswigger.net/2015/08/server-side-template-injection.html#Velocity) and via CVE-2015-5603 (see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5603) and possibly others.