VYPR

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

BaseIncomplete

Description

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (129)

page 1 of 7
  • CVE-2025-34300CriJul 16, 2025
    risk 0.74cvss epss 0.49

    A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the  ciwweb.pl http://ciwweb.pl/  Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.

  • CVE-2024-6386CriAug 21, 2024
    risk 0.70cvss 9.9epss 0.25

    The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated…

  • CVE-2024-32651CriApr 26, 2024
    risk 0.65cvss 10.0epss 0.84

    changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command…

  • CVE-2026-45312CriMay 29, 2026
    risk 0.64cvss 9.9epss 0.00

    RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can…

  • CVE-2026-9558CriMay 29, 2026
    risk 0.64cvss 9.9epss 0.00

    A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute…

  • CVE-2026-1868CriFeb 9, 2026
    risk 0.64cvss 9.9epss 0.01

    GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in which AI Gateway was vulnerable to insecure template expansion of user supplied…

  • CVE-2026-34906CriJun 2, 2026
    risk 0.60cvss epss 0.01

    Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template…

  • CVE-2026-41901CriMay 12, 2026
    risk 0.59cvss 9.0epss 0.00

    Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially…

  • CVE-2026-40478CriApr 17, 2026
    risk 0.59cvss 9.0epss 0.01

    Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it…

  • CVE-2026-40477CriApr 17, 2026
    risk 0.59cvss 9.0epss 0.01

    Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it…

  • CVE-2025-53833CriJul 14, 2025
    risk 0.59cvss 10.0epss 0.09

    LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations.…

  • CVE-2024-12583CriJan 4, 2025
    risk 0.58cvss 9.9epss 0.01

    The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function.…

  • CVE-2026-45697CriMay 29, 2026
    risk 0.57cvss 9.8epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the…

  • CVE-2026-42203HigMay 8, 2026
    risk 0.57cvss 8.8epss 0.00

    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run…

  • CVE-2026-28797HigApr 3, 2026
    risk 0.57cvss 8.8epss 0.00

    RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's…

  • CVE-2026-33654CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.00

    nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and…

  • CVE-2025-10380HigSep 23, 2025
    risk 0.57cvss 8.8epss 0.00

    The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig…

  • CVE-2025-32461CriApr 9, 2025
    risk 0.57cvss 9.9epss 0.01

    wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.

  • CVE-2025-25362CriMar 5, 2025
    risk 0.57cvss 9.8epss 0.01

    A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.

  • CVE-2024-9150HigFeb 21, 2025
    risk 0.57cvss epss 0.00

    Report generation functionality in Wyn Enterprise allows for code inclusion, but not sufficiently limits what code might be included. An attacker is able use a low privileges account in order to abuse this functionality and execute malicious code, load DLL libraries and…