Sandbox bypass in Latte templates
Description
Latte template engine for PHP has a sandbox bypass that allows XSS via complex string expressions, fixed in versions 2.8.8, 2.9.6, and 2.10.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Latte template engine for PHP has a sandbox bypass that allows XSS via complex string expressions, fixed in versions 2.8.8, 2.9.6, and 2.10.8.
Vulnerability
Latte is an open source template engine for PHP. Versions since 2.8.0 include a template sandbox, but a sandbox escape vulnerability exists in versions prior to 2.8.8, 2.9.6, and 2.10.8. The bug is in the PhpWriter::validateTokens method where complex expressions in double-quoted strings (e.g., {"$var"} or {="${var}"}) are not properly blocked, allowing injection into generated web pages [1][2].
Exploitation
An attacker who can provide template input to a Latte-based application can craft a string containing a complex expression (e.g., {"$var"} with user-controlled $var) that bypasses the sandbox. No special network position is required beyond the ability to supply template content; the attacker may need a way to inject the malicious template code if the application processes user-supplied templates [2][4].
Impact
Successful exploitation leads to cross-site scripting (XSS) in web pages rendered by Latte. The attacker can inject arbitrary HTML/JavaScript, potentially stealing session cookies, redirecting users, or performing other client-side attacks. The sandbox escape undermines the intended security restrictions of the template engine [1][4].
Mitigation
The issue is fixed in Latte versions 2.8.8, 2.9.6, and 2.10.8. Users should upgrade to a patched version. If upgrading is not possible, the advisory recommends not accepting template input from untrusted sources [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
latte/lattePackagist | >= 2.10.0, < 2.10.8 | 2.10.8 |
latte/lattePackagist | >= 2.9.0, < 2.9.6 | 2.9.6 |
latte/lattePackagist | >= 2.8.0, < 2.8.8 | 2.8.8 |
Affected products
2Patches
19e1b4f7d70f7PhpWriter: complex expression in strings prohibited in sandbox mode
2 files changed · +20 −0
src/Latte/Compiler/PhpWriter.php+8 −0 modified@@ -226,6 +226,14 @@ public function validateTokens(MacroTokens $tokens): void } elseif ($tokens->isCurrent('`')) { throw new CompileException('Backtick operator is forbidden in Latte.'); + } elseif ( + $this->policy + && $tokens->isCurrent($tokens::T_STRING) + && $tokenValue[0] === '"' + && (strpos($tokenValue, '{$') !== false || strpos($tokenValue, '${') !== false) + ) { + throw new CompileException('Forbidden complex expressions in strings.'); + } elseif ( Helpers::startsWith($tokenValue, '$ʟ_') || ($this->policy && $tokens->isCurrent('$this'))
tests/Latte/Policy.violations.phpt+12 −0 modified@@ -128,3 +128,15 @@ Assert::exception(function () use ($latte) { Assert::exception(function () use ($latte) { $latte->compile('{do new stdClass}'); }, Latte\CompileException::class, "Forbidden keyword 'new' inside tag."); + +Assert::exception(function () use ($latte) { + $latte->compile('{="{$var}"}'); +}, Latte\CompileException::class, 'Forbidden complex expressions in strings.'); + +Assert::exception(function () use ($latte) { + $latte->compile('{="${var}"}'); +}, Latte\CompileException::class, 'Forbidden complex expressions in strings.'); + +Assert::noError(function () use ($latte) { + $latte->compile('{=\'${var}\'}'); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-36m2-8rhx-f36jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21648ghsaADVISORY
- github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0ghsax_refsource_MISCWEB
- github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.