VYPR

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

BaseIncomplete

Description

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (129)

page 5 of 7
  • CVE-2026-11407Jun 17, 2026
    risk 0.00cvss epss 0.01

    Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig…

  • CVE-2026-33897Mar 26, 2026
    risk 0.00cvss epss 0.00

    Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the…

  • CVE-2026-28784Mar 4, 2026
    risk 0.00cvss epss 0.01

    Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead…

  • CVE-2026-28783Mar 4, 2026
    risk 0.00cvss epss 0.00

    Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack,…

  • CVE-2026-28697Mar 4, 2026
    risk 0.00cvss epss 0.01

    Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling…

  • CVE-2026-28695Mar 4, 2026
    risk 0.00cvss epss 0.01

    Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which…

  • CVE-2026-27641Feb 25, 2026
    risk 0.00cvss epss 0.01

    Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).…

  • CVE-2026-25526Feb 4, 2026
    risk 0.00cvss epss 0.01

    JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file…

  • CVE-2025-64087Jan 20, 2026
    risk 0.00cvss epss 0.01

    A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

  • CVE-2026-23626Jan 18, 2026
    risk 0.00cvss epss 0.00

    Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An…

  • CVE-2026-22244Jan 8, 2026
    risk 0.00cvss epss 0.01

    OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4…

  • CVE-2025-68454Jan 5, 2026
    risk 0.00cvss epss 0.01

    Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel,…

  • CVE-2026-21450Jan 2, 2026
    risk 0.00cvss epss 0.01

    Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

  • CVE-2026-21449Jan 2, 2026
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.

  • CVE-2026-21448Jan 2, 2026
    risk 0.00cvss epss 0.01

    Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code…

  • CVE-2025-66299Dec 1, 2025
    risk 0.00cvss epss 0.01

    Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since…

  • CVE-2025-66298Dec 1, 2025
    risk 0.00cvss epss 0.00

    Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive…

  • CVE-2025-66297Dec 1, 2025
    risk 0.00cvss epss 0.01

    Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to…

  • CVE-2025-66294Dec 1, 2025
    risk 0.00cvss epss 0.03

    Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be…

  • CVE-2025-62416Oct 16, 2025
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with…