Common Weakness Enumeration

CWE-1336

Allowed

Improper Neutralization of Special Elements Used in a Template Engine

Abstraction: Base · Status: Incomplete

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

313 vulnerabilities reference this CWE, most recent first.

GHSA-27WP-JVHW-V4XP

Vulnerability from github – Published: 2024-08-08 14:48 – Updated: 2024-08-08 17:00
VLAI
Summary
Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
Details

Impact

Shopware has a new Twig Tag sw_silent_feature_call which silences deprecation messages while triggered in this tag. It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.

Patches

Update to Shopware 6.6.5.1 or 6.5.8.13

Workarounds

For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.5.8.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.8.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.5.8.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.8.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.6.5.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.6.0.0"
            },
            {
              "fixed": "6.6.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.6.5.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.6.0.0"
            },
            {
              "fixed": "6.6.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-08T14:48:03Z",
    "nvd_published_at": "2024-08-08T15:15:18Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nShopware has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag.\nIt accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.\n\n### Patches\nUpdate to Shopware 6.6.5.1 or 6.5.8.13\n\n### Workarounds\nFor older versions of 6.2, 6.3,  and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n",
  "id": "GHSA-27wp-jvhw-v4xp",
  "modified": "2024-08-08T17:00:14Z",
  "published": "2024-08-08T14:48:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag"
}

GHSA-28GW-7MXX-5HJG

Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30
VLAI
Details

Improper neutralization of special elements used in SQL command in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T21:15:27Z",
    "severity": "HIGH"
  },
  "details": "Improper neutralization of special elements used in SQL command in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-28gw-7mxx-5hjg",
  "modified": "2024-11-13T21:30:38Z",
  "published": "2024-11-13T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39766"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01219.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2V4M-FW6C-G78F

Vulnerability from github – Published: 2026-07-01 17:56 – Updated: 2026-07-01 17:56
VLAI
Summary
GeoNetwork has reflected XSS through client-side template injection
Details

Summary

It is possible to craft a URL that causes GeoNetwork to reflect attacker-controlled content into an error page in a way that gets evaluated as a client-side template expression. Combined with known AngularJS sandbox-escape techniques, this can be used to execute arbitrary JavaScript in the victim's browser (reflected Cross-Site Scripting via client-side template injection).

Details

When a user requests a service URL that does not exist or that they are not authorized to access, GeoNetwork shows an error page that reflects part of the original request back to the user without adequately neutralizing it for the context it is rendered in. Because this error page is an AngularJS application, attacker-controlled content in the reflected value can be interpreted as a template expression and evaluated once the page loads in the victim's browser, rather than being displayed as inert text.

Impact

An attacker can trick a user (including an administrator) into visiting a crafted link. The resulting script execution runs in the context of the victim's authenticated session and can be used to exfiltrate information or perform actions on the victim's behalf. For example, an attacker could inject a fake login form that looks identical to the legitimate GeoNetwork login page to harvest credentials.

GeoNetwork 3.x and 4.0.x are archived/unmaintained and will not receive a fix for this issue. Instances running those lines should upgrade to a supported release (4.2.15 or later, or 4.4.10 or later).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:geonetwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "last_affected": "3.12.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:geonetwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "last_affected": "4.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.2.14"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:geonetwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geonetwork-opensource:geonetwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T17:56:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nIt is possible to craft a URL that causes GeoNetwork to reflect attacker-controlled content into an error page in a way that gets evaluated as a client-side template expression. Combined with known AngularJS sandbox-escape techniques, this can be used to execute arbitrary JavaScript in the victim\u0027s browser (reflected Cross-Site Scripting via client-side template injection).\n\n### Details\nWhen a user requests a service URL that does not exist or that they are not authorized to access, GeoNetwork shows an error page that reflects part of the original request back to the user without adequately neutralizing it for the context it is rendered in. Because this error page is an AngularJS application, attacker-controlled content in the reflected value can be interpreted as a template expression and evaluated once the page loads in the victim\u0027s browser, rather than being displayed as inert text.\n\n### Impact\nAn attacker can trick a user (including an administrator) into visiting a crafted link. The resulting script execution runs in the context of the victim\u0027s authenticated session and can be used to exfiltrate information or perform actions on the victim\u0027s behalf. For example, an attacker could inject a fake login form that looks identical to the legitimate GeoNetwork login page to harvest credentials.\n\nGeoNetwork 3.x and 4.0.x are archived/unmaintained and will not receive a fix for this issue. Instances running those lines should upgrade to a supported release (4.2.15 or later, or 4.4.10 or later).",
  "id": "GHSA-2v4m-fw6c-g78f",
  "modified": "2026-07-01T17:56:51Z",
  "published": "2026-07-01T17:56:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2v4m-fw6c-g78f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geonetwork/core-geonetwork"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoNetwork has reflected XSS through client-side template injection"
}

GHSA-33QF-Q99X-WPM8

Vulnerability from github – Published: 2026-04-16 21:28 – Updated: 2026-04-27 16:15
VLAI
Summary
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates
Details

Impact

Up to 1.0.0 of home-assitant-cli (or hass-cli for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage.

E. g., it was possible to render a template with hass-cli template bad-template.j2 --local that contained entries like

{%- set b   = environ.__globals__['__builtins__'] -%}
{%- set os  = b['__import__']('os') -%}
{%- set bio = b['__import__']('builtins') -%}
...

or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine.

In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with --local.

The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions.

Patches

1.0.0 uses ImmutableSandboxedEnvironment and restricts the usage of environment variables.

Workarounds

Evaluate the Jninja2 templates manually or tool-based before rendering with hass-cli.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "homeassistant-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:28:39Z",
    "nvd_published_at": "2026-04-21T18:16:51Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUp to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python\u0027s internals and extended the scope of templating beyond the intended usage.\n\nE. g., it was possible to render a template with `hass-cli template bad-template.j2 --local` that contained entries like\n\n````j2\n{%- set b   = environ.__globals__[\u0027__builtins__\u0027] -%}\n{%- set os  = b[\u0027__import__\u0027](\u0027os\u0027) -%}\n{%- set bio = b[\u0027__import__\u0027](\u0027builtins\u0027) -%}\n...\n````\n\nor other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine.\n\nIn a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell)  then to render those templates unchecked/reviewed/verified with `--local`. \n\nThe issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions.\n\n### Patches\n\n1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables.\n\n### Workarounds\n\nEvaluate the Jninja2 templates manually or  tool-based before rendering with `hass-cli`.",
  "id": "GHSA-33qf-q99x-wpm8",
  "modified": "2026-04-27T16:15:58Z",
  "published": "2026-04-16T21:28:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant-ecosystem/home-assistant-cli/security/advisories/GHSA-33qf-q99x-wpm8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40602"
    },
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant-ecosystem/home-assistant-cli/pull/453"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/home-assistant-ecosystem/home-assistant-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates"
}

GHSA-34HW-4CQQ-QH3W

Vulnerability from github – Published: 2025-12-17 03:30 – Updated: 2025-12-17 03:30
VLAI
Details

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-17T01:15:59Z",
    "severity": "CRITICAL"
  },
  "details": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.",
  "id": "GHSA-34hw-4cqq-qh3w",
  "modified": "2025-12-17T03:30:13Z",
  "published": "2025-12-17T03:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14700"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-35JP-8CGG-P4WJ

Vulnerability from github – Published: 2024-08-08 14:50 – Updated: 2024-08-08 17:00
VLAI
Summary
Shopware vulnerable to Server Side Template Injection in Twig using Context functions
Details

Impact

The context variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function.

Example call from PHP:

$context->scope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, &$fileBlob): void {
    $fileBlob = $mediaService->loadFile($media->getId(), $context);
});

This function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method.

It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts.

Patches

Update to Shopware 6.6.5.1 or 6.5.8.13

Workarounds

For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.5.8.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.8.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.5.8.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.8.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.6.5.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.6.0.0"
            },
            {
              "fixed": "6.6.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.6.5.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.6.0.0"
            },
            {
              "fixed": "6.6.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-08T14:50:11Z",
    "nvd_published_at": "2024-08-08T15:15:18Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. \n\nExample call from PHP:\n\n```php\n$context-\u003escope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, \u0026$fileBlob): void {\n    $fileBlob = $mediaService-\u003eloadFile($media-\u003egetId(), $context);\n});\n```\n\nThis function can be called also from Twig and as the second parameter allows any callable, it\u0027s possible to call from Twig any statically callable PHP function/method.\n\nIt\u0027s not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts.\n\n### Patches\nUpdate to Shopware 6.6.5.1 or 6.5.8.13\n\n### Workarounds\nFor older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n",
  "id": "GHSA-35jp-8cgg-p4wj",
  "modified": "2024-08-08T17:00:22Z",
  "published": "2024-08-08T14:50:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Shopware vulnerable to Server Side Template Injection in Twig using Context functions"
}

GHSA-366H-GRHQ-R9JR

Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-14 00:01
VLAI
Details

On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute template language-specific instructions in the context of the server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-05T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute template language-specific instructions in the context of the server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
  "id": "GHSA-366h-grhq-r9jr",
  "modified": "2022-05-14T00:01:34Z",
  "published": "2022-05-06T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27662"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K24248011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36QQ-9V26-CRFG

Vulnerability from github – Published: 2025-12-15 18:30 – Updated: 2025-12-16 18:31
VLAI
Details

An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict="address_name", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-15T18:15:48Z",
    "severity": "HIGH"
  },
  "details": "An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict=\"address_name\", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure.",
  "id": "GHSA-36qq-9v26-crfg",
  "modified": "2025-12-16T18:31:31Z",
  "published": "2025-12-15T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66437"
    },
    {
      "type": "WEB",
      "url": "https://iamanc.github.io/post/erpnext-ssti-bug-4"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/SSTI-bug-4-239e6086eadc80aa9331fba874c674a5?source=copy_link"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36VW-4J29-FG6F

Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-06-09 12:32
VLAI
Details

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T14:16:27Z",
    "severity": "MODERATE"
  },
  "details": "An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.",
  "id": "GHSA-36vw-4j29-fg6f",
  "modified": "2026-06-09T12:32:01Z",
  "published": "2026-05-19T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40900"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-827968.html"
    },
    {
      "type": "WEB",
      "url": "https://security.nozominetworks.com/NN-2026:3-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-374C-2PVV-FXF5

Vulnerability from github – Published: 2025-12-10 21:31 – Updated: 2025-12-17 21:30
VLAI
Details

A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T20:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.",
  "id": "GHSA-374c-2pvv-fxf5",
  "modified": "2025-12-17T21:30:41Z",
  "published": "2025-12-10T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65602"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/chancms/ChanCMS"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689?source=copy_link"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.

Mitigation
Implementation

Use the template engine's sandbox or restricted mode, if available.

No CAPEC attack patterns related to this CWE.