CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
BaseIncomplete
Description
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (52)
page 2 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-58303 | Hig | 0.56 | — | 0.00 | Dec 11, 2025 | FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation. | |
| CVE-2024-58293 | Hig | 0.56 | — | 0.00 | Dec 11, 2025 | Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations. | |
| CVE-2026-34587 | Hig | 0.53 | 8.1 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints. | |
| CVE-2026-40320 | Hig | 0.51 | 7.8 | 0.00 | Apr 17, 2026 | Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the ConformityCheck class rendered the rule parameter through Jinja2's default Template() constructor, silently interpreting template expressions at runtime. If check definitions are loaded from an untrusted source, a crafted rule string could achieve arbitrary code execution. Exploitation requires write access to a check definition and subsequent execution of the test suite. This issue has been fixed in giskard-checks version 1.0.2b1. | |
| CVE-2026-34202 | Hig | 0.49 | 7.5 | 0.00 | Mar 31, 2026 | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1. | |
| CVE-2026-32261 | Hig | 0.48 | — | 0.00 | Mar 16, 2026 | Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0. | |
| CVE-2024-38363 | Hig | 0.48 | 8.5 | 0.02 | Jul 9, 2024 | Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2. | |
| CVE-2026-33392 | Hig | 0.47 | 7.2 | 0.00 | Apr 17, 2026 | In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass | |
| CVE-2026-34724 | Hig | 0.47 | 7.2 | 0.00 | Apr 8, 2026 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1. | |
| CVE-2025-65106 | Hig | 0.47 | — | 0.00 | Nov 21, 2025 | LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7. | |
| CVE-2025-6761 | Hig | 0.47 | 7.3 | 0.00 | Jun 27, 2025 | A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition 6.x/7.x/8.x/9.0. It has been rated as critical. Affected by this issue is the function plugin.buildMobilePopHtml of the file \k3\o2o\bos\webapp\action\DynamicForm 4 Action.class of the component Freemarker Engine. The manipulation leads to improper neutralization of special elements used in a template engine. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The vendor explains, that in the fixed release "Freemarker is set to 'ALLOWS_NOTHING_RESOLVER' to not parse any classes." | |
| CVE-2024-57177 | Hig | 0.47 | 7.3 | 0.00 | Feb 10, 2025 | A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information | |
| CVE-2024-39766 | Hig | 0.46 | 7.0 | 0.00 | Nov 13, 2024 | Improper neutralization of special elements used in SQL command in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2025-26789 | Med | 0.45 | — | 0.00 | Feb 14, 2025 | An issue was discovered in Logpoint AgentX before 1.5.0. A vulnerability caused by limited access controls allowed li-admin users to access sensitive information about AgentX Manager in a Logpoint deployment. | |
| CVE-2026-33154 | Hig | 0.42 | 7.5 | 0.00 | Mar 20, 2026 | dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13. | |
| CVE-2024-41950 | Hig | 0.42 | 7.5 | 0.03 | Jul 31, 2024 | Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`. | |
| CVE-2026-5559 | Med | 0.41 | 6.3 | 0.00 | Apr 5, 2026 | A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function _is_safe_ast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |
| CVE-2026-3725 | Med | 0.41 | 6.3 | 0.00 | Mar 8, 2026 | A flaw has been found in 1024-lab/lab1024 SmartAdmin up to 3.29. Affected by this issue is the function freemarkerResolverContent of the file sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.java of the component FreeMarker Template Handler. Executing a manipulation of the argument template_content can lead to improper neutralization of special elements used in a template engine. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-14731 | Med | 0.41 | 6.3 | 0.00 | Dec 16, 2025 | A weakness has been identified in CTCMS Content Management System up to 2.1.2. This affects an unknown function in the library /ctcms/apps/libraries/CT_Parser.php of the component Frontend/Template Management Module. This manipulation causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | |
| CVE-2025-6518 | Med | 0.41 | 6.3 | 0.00 | Jun 23, 2025 | A vulnerability was found in PySpur-Dev pyspur up to 0.1.18. It has been classified as critical. Affected is the function SingleLLMCallNode of the file backend/pyspur/nodes/llm/single_llm_call.py of the component Jinja2 Template Handler. The manipulation of the argument user_message leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. |