What is the CVSS score of CVE-2026-31864?

CVE-2026-31864 has a CVSS 3.1 base score of 6.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Ssti are affected by CVE-2026-31864?

Organizations using JumpServer should be aware of notable risk from CVE-2026-31864 rated CVSS 6.8. Exploitation could compromise the security of affected deployments.. A patch is available.

Ssti CVE-2026-31864

EUVD-2026-12085 MEDIUM

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-03-13 GitHub_M

Ssti RCE Jumpserver

6.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

4.10.16,3.10.22

EUVD ID Assigned

Mar 13, 2026 - 20:00 euvd

EUVD-2026-12085

Analysis Generated

Mar 13, 2026 - 20:00 vuln.today

CVE Published

Mar 13, 2026 - 19:22 nvd

MEDIUM 6.8

DescriptionNVD

JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks.

AnalysisAI

JumpServer contains a Server-Side Template Injection (SSTI) vulnerability in its Applet and VirtualApp upload functionality that allows authenticated administrators to execute arbitrary code within the JumpServer Core container. The vulnerability affects JumpServer versions vulnerable to unsafe Jinja2 template rendering of user-uploaded YAML manifest files. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 6.8 appears moderate on its surface, the actual real-world risk is elevated but constrained by privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A JumpServer administrator with Application Applet Management permissions (either legitimate but malicious, or account compromised via phishing) creates a malicious ZIP package containing a manifest.yml file with embedded Jinja2 template injection payloads, such as: '{{ self.__init__.__globals__.__builtins__.__import__("os").system("id > /tmp/pwned") }}' or similar SSTI gadget chains. Upon uploading this package through the Applet/VirtualApp upload interface, the JumpServer Core application renders the manifest.yml through Jinja2 without sandbox restrictions, causing the injected template to execute arbitrary Python code within the container context. …
Remediation	1. … Detailed patch versions, workarounds, and compensating controls in full report.