Common Weakness Enumeration

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

CVE-2025-3841 (GCVE-0-2025-3841)

Vulnerability from cvelistv5 – Published: 2025-04-21 19:31 – Updated: 2025-04-24 12:10
VLAI
Title
wix-incubator jam Jinja2 Template jam.py special elements used in a template engine
Summary
A vulnerability, which was classified as problematic, was found in wix-incubator jam up to e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9. This affects an unknown part of the file jam.py of the component Jinja2 Template Handler. The manipulation of the argument config['template'] leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
  • CWE-791 - Incomplete Filtering of Special Elements
Assigner
References
URL Tags
https://vuldb.com/?id.305769 vdb-entrytechnical-description
https://vuldb.com/?ctiid.305769 signaturepermissions-required
https://vuldb.com/?submit.555905 third-party-advisory
https://github.com/wix-incubator/jam/issues/1 exploitissue-tracking
Impacted products
Vendor Product Version
wix-incubator jam Affected: e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9
Create a notification for this product.
Credits
ybdesire (VulDB User) ybdesire (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3841",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T19:38:40.502511Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T19:45:23.287Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/wix-incubator/jam/issues/1"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Jinja2 Template Handler"
          ],
          "product": "jam",
          "vendor": "wix-incubator",
          "versions": [
            {
              "status": "affected",
              "version": "e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "ybdesire (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "ybdesire (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as problematic, was found in wix-incubator jam up to e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9. This affects an unknown part of the file jam.py of the component Jinja2 Template Handler. The manipulation of the argument config[\u0027template\u0027] leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available."
        },
        {
          "lang": "de",
          "value": "Es wurde eine problematische Schwachstelle in wix-incubator jam bis e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9 gefunden. Betroffen hiervon ist ein unbekannter Ablauf der Datei jam.py der Komponente Jinja2 Template Handler. Mit der Manipulation des Arguments config[\u0027template\u0027] mit unbekannten Daten kann eine improper neutralization of special elements used in a template engine-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verf\u00fcgbar."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 1.7,
            "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-791",
              "description": "Incomplete Filtering of Special Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-24T12:10:27.236Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-305769 | wix-incubator jam Jinja2 Template jam.py special elements used in a template engine",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.305769"
        },
        {
          "name": "VDB-305769 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.305769"
        },
        {
          "name": "Submit #555905 | wix-incubator jam 0.0 Improper Neutralization of Special Elements Used in a Template E",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.555905"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/wix-incubator/jam/issues/1"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-21T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-04-21T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-04-24T14:04:21.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "wix-incubator jam Jinja2 Template jam.py special elements used in a template engine"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-3841",
    "datePublished": "2025-04-21T19:31:04.546Z",
    "dateReserved": "2025-04-21T13:06:48.761Z",
    "dateUpdated": "2025-04-24T12:10:27.236Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40900 (GCVE-0-2025-40900)

Vulnerability from cvelistv5 – Published: 2026-05-19 13:17 – Updated: 2026-06-09 09:02
VLAI
Title
Angular template injection in Reports in Guardian/CMC before 26.1.0
Summary
An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper neutralization of special elements used in a template engine
Assigner
Impacted products
Date Public
2026-05-19 07:00
Credits
This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-40900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T14:09:06.088185Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T14:09:56.116Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "RUGGEDCOM APE1808",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T09:02:23.633Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-827968.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Guardian",
          "vendor": "Nozomi Networks",
          "versions": [
            {
              "lessThan": "26.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CMC",
          "vendor": "Nozomi Networks",
          "versions": [
            {
              "lessThan": "26.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.1.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.1.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation."
        }
      ],
      "datePublic": "2026-05-19T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration."
            }
          ],
          "value": "An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336 Improper neutralization of special elements used in a template engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T13:17:21.852Z",
        "orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
        "shortName": "Nozomi"
      },
      "references": [
        {
          "url": "https://security.nozominetworks.com/NN-2026:3-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to v26.1.0 or later.\u003cbr\u003e"
            }
          ],
          "value": "Upgrade to v26.1.0 or later."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Angular template injection in Reports in Guardian/CMC before 26.1.0",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use internal firewall features to limit access to the web management interface.\u003cbr\u003e"
            }
          ],
          "value": "Use internal firewall features to limit access to the web management interface."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Review all accounts with access to it and delete unnecessary ones.\u003cbr\u003e"
            }
          ],
          "value": "Review all accounts with access to it and delete unnecessary ones."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
    "assignerShortName": "Nozomi",
    "cveId": "CVE-2025-40900",
    "datePublished": "2026-05-19T13:17:21.852Z",
    "dateReserved": "2025-04-16T09:04:35.923Z",
    "dateUpdated": "2026-06-09T09:02:23.633Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-46661 (GCVE-0-2025-46661)

Vulnerability from cvelistv5 – Published: 2025-04-28 00:00 – Updated: 2025-04-28 16:31
VLAI
Summary
IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supplier.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
Impacted products
Vendor Product Version
IPW Metazo Affected: 0 , ≤ 8.1.3 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46661",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-28T15:47:05.178059Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-28T16:31:04.425Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Metazo",
          "vendor": "IPW",
          "versions": [
            {
              "lessThanOrEqual": "8.1.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supplier."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-28T13:13:09.272Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://code-white.com/public-vulnerability-list/"
        },
        {
          "url": "https://www.ipwsystems.com/"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-46661",
    "datePublished": "2025-04-28T00:00:00.000Z",
    "dateReserved": "2025-04-26T00:00:00.000Z",
    "dateUpdated": "2025-04-28T16:31:04.425Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-46699 (GCVE-0-2025-46699)

Vulnerability from cvelistv5 – Published: 2026-01-23 09:53 – Updated: 2026-01-23 15:12
VLAI
Summary
Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
Impacted products
Vendor Product Version
Dell Data Protection Advisor Affected: N/A , < 19.12 (semver)
Create a notification for this product.
Date Public
2026-01-20 18:30
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46699",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-23T15:11:41.827726Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-23T15:12:19.272Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Data Protection Advisor",
          "vendor": "Dell",
          "versions": [
            {
              "lessThan": "19.12",
              "status": "affected",
              "version": "N/A",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-01-20T18:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure."
            }
          ],
          "value": "Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-23T09:53:55.839Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000281732/dsa-2025-075-security-update-for-dell-data-protection-advisor-for-multiple-component-vulnerabilities"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2025-46699",
    "datePublished": "2026-01-23T09:53:55.839Z",
    "dateReserved": "2025-04-28T05:03:43.645Z",
    "dateUpdated": "2026-01-23T15:12:19.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-46731 (GCVE-0-2025-46731)

Vulnerability from cvelistv5 – Published: 2025-05-05 19:35 – Updated: 2025-05-05 20:03
VLAI
Title
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
Summary
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
Impacted products
Vendor Product Version
craftcms cms Affected: >= 4.0.0-RC1, < 4.14.13
Affected: >= 5.0.0-RC1, < 5.6.15
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46731",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-05T20:03:33.766996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T20:03:42.802Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c 4.14.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-RC1, \u003c 5.6.15"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-05T19:35:31.347Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38"
        },
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
        },
        {
          "name": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"
        },
        {
          "name": "http://github.com/craftcms/cms/pull/17026",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/craftcms/cms/pull/17026"
        }
      ],
      "source": {
        "advisory": "GHSA-7c58-g782-9j38",
        "discovery": "UNKNOWN"
      },
      "title": "Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46731",
    "datePublished": "2025-05-05T19:35:31.347Z",
    "dateReserved": "2025-04-28T20:56:09.085Z",
    "dateUpdated": "2025-05-05T20:03:42.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-47916 (GCVE-0-2025-47916)

Vulnerability from cvelistv5 – Published: 2025-05-16 00:00 – Updated: 2025-05-17 05:03
VLAI
Summary
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
Impacted products
Vendor Product Version
invisioncommunity Invision Power Board Affected: 5.0.0 , < 5.0.7 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47916",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-16T16:27:48.468993Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-16T16:27:51.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://karmainsecurity.com/KIS-2025-02"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-17T05:03:09.924Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2025/May/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Invision Power Board",
          "vendor": "invisioncommunity",
          "versions": [
            {
              "lessThan": "5.0.7",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.0.7",
                  "versionStartIncluding": "5.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-16T14:59:22.006Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://invisioncommunity.com/release-notes-v5/507-r41/"
        },
        {
          "url": "https://karmainsecurity.com/KIS-2025-02"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-47916",
    "datePublished": "2025-05-16T00:00:00.000Z",
    "dateReserved": "2025-05-14T00:00:00.000Z",
    "dateUpdated": "2025-05-17T05:03:09.924Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49136 (GCVE-0-2025-49136)

Vulnerability from cvelistv5 – Published: 2025-06-09 16:21 – Updated: 2025-06-10 13:25
VLAI
Title
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
Summary
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
Impacted products
Vendor Product Version
knadh listmonk Affected: >= 4.0.0, < 5.0.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49136",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-10T13:24:43.793880Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-10T13:25:02.262Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "listmonk",
          "vendor": "knadh",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 5.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-09T16:21:48.266Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h"
        },
        {
          "name": "https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e"
        },
        {
          "name": "https://github.com/knadh/listmonk/releases/tag/v5.0.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/knadh/listmonk/releases/tag/v5.0.2"
        }
      ],
      "source": {
        "advisory": "GHSA-jc7g-x28f-3v3h",
        "discovery": "UNKNOWN"
      },
      "title": "listmonk\u0027s Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49136",
    "datePublished": "2025-06-09T16:21:48.266Z",
    "dateReserved": "2025-06-02T10:39:41.634Z",
    "dateUpdated": "2025-06-10T13:25:02.262Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49142 (GCVE-0-2025-49142)

Vulnerability from cvelistv5 – Published: 2025-06-10 15:40 – Updated: 2025-06-10 17:10
VLAI
Title
Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating
Summary
Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered or that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. The vulnerability can be partially mitigated by configuring object permissions appropriately to limit certain actions to only trusted users.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
Impacted products
Vendor Product Version
nautobot nautobot Affected: < 1.6.32
Affected: >= 2.0.0, < 2.4.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-10T17:10:17.082932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-10T17:10:21.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nautobot",
          "vendor": "nautobot",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.32"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.4.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered or that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. The vulnerability can be partially mitigated by configuring object permissions appropriately to limit certain actions to only trusted users."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T15:40:21.105Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx"
        },
        {
          "name": "https://github.com/nautobot/nautobot/pull/7417",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/pull/7417"
        },
        {
          "name": "https://github.com/nautobot/nautobot/pull/7429",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/pull/7429"
        },
        {
          "name": "https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description"
        },
        {
          "name": "https://jinja.palletsprojects.com/en/stable/sandbox",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jinja.palletsprojects.com/en/stable/sandbox"
        }
      ],
      "source": {
        "advisory": "GHSA-wjw6-95h5-4jpx",
        "discovery": "UNKNOWN"
      },
      "title": "Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49142",
    "datePublished": "2025-06-10T15:40:21.105Z",
    "dateReserved": "2025-06-02T10:39:41.634Z",
    "dateUpdated": "2025-06-10T17:10:21.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49619 (GCVE-0-2025-49619)

Vulnerability from cvelistv5 – Published: 2025-06-07 00:00 – Updated: 2025-06-17 21:01
VLAI
Summary
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
Impacted products
Vendor Product Version
Skyvern Skyvern Affected: 0 , ≤ 0.1.85 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49619",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-09T15:13:24.172326Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-09T15:13:27.268Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://cristibtz.blog/posts/CVE-2025-49619/"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Skyvern",
          "vendor": "Skyvern",
          "versions": [
            {
              "lessThanOrEqual": "0.1.85",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-17T21:01:16.030Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/Skyvern-AI/skyvern/commit/db856cd8433a204c8b45979c70a4da1e119d949d"
        },
        {
          "url": "https://cristibtz.github.io/posts/CVE-2025-49619/"
        },
        {
          "url": "https://www.exploit-db.com/exploits/52335"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-49619",
    "datePublished": "2025-06-07T00:00:00.000Z",
    "dateReserved": "2025-06-07T00:00:00.000Z",
    "dateUpdated": "2025-06-17T21:01:16.030Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49828 (GCVE-0-2025-49828)

Vulnerability from cvelistv5 – Published: 2025-07-15 19:35 – Updated: 2025-11-04 21:11
VLAI
Title
Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Remote Code Execution
Summary
Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
Impacted products
Vendor Product Version
cyberark conjur Affected: Conjur OSS >= 1.20.1, < 1.21.2
Affected: Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) >= 13.1, < 13.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49828",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-15T19:50:16.491860Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T20:12:43.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:11:23.944Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/08/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/16/7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "conjur",
          "vendor": "cyberark",
          "versions": [
            {
              "status": "affected",
              "version": "Conjur OSS \u003e= 1.20.1, \u003c 1.21.2"
            },
            {
              "status": "affected",
              "version": "Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) \u003e= 13.1, \u003c 13.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-15T19:35:58.743Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cyberark/conjur/security/advisories/GHSA-93hx-v9pv-qrm4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cyberark/conjur/security/advisories/GHSA-93hx-v9pv-qrm4"
        },
        {
          "name": "https://github.com/cyberark/conjur/releases/tag/v1.21.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cyberark/conjur/releases/tag/v1.21.2"
        }
      ],
      "source": {
        "advisory": "GHSA-93hx-v9pv-qrm4",
        "discovery": "UNKNOWN"
      },
      "title": "Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Remote Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49828",
    "datePublished": "2025-07-15T19:35:33.147Z",
    "dateReserved": "2025-06-11T14:33:57.799Z",
    "dateUpdated": "2025-11-04T21:11:23.944Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Architecture and Design

Description:

  • Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
Mitigation

Phase: Implementation

Description:

  • Use the template engine's sandbox or restricted mode, if available.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page