Common Weakness Enumeration

CWE-1336

Allowed

Improper Neutralization of Special Elements Used in a Template Engine

Abstraction: Base · Status: Incomplete

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

313 vulnerabilities reference this CWE, most recent first.

GHSA-Q2GX-X2FM-C9FR

Vulnerability from github – Published: 2025-02-14 09:31 – Updated: 2025-02-14 09:31
VLAI
Details

An issue was discovered in Logpoint AgentX before 1.5.0. A vulnerability caused by limited access controls allowed li-admin users to access sensitive information about AgentX Manager in a Logpoint deployment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-14T08:15:31Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Logpoint AgentX before 1.5.0. A vulnerability caused by limited access controls allowed li-admin users to access sensitive information about AgentX Manager in a Logpoint deployment.",
  "id": "GHSA-q2gx-x2fm-c9fr",
  "modified": "2025-02-14T09:31:22Z",
  "published": "2025-02-14T09:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26789"
    },
    {
      "type": "WEB",
      "url": "https://servicedesk.logpoint.com/hc/en-us/articles/24749416515741-Unauthorized-information-access-due-to-inadequate-access-controls"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q5XX-FXV3-XXQF

Vulnerability from github – Published: 2026-02-23 06:30 – Updated: 2026-02-25 17:52
VLAI
Summary
datapizza-ai: Server-Side Template Injection in ChatPromptTemplate via Jinja2 Template Handler
Details

A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special elements used in a template engine. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "datapizza-ai-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-791"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T17:52:48Z",
    "nvd_published_at": "2026-02-23T05:16:19Z",
    "severity": "LOW"
  },
  "details": "A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special elements used in a template engine. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-q5xx-fxv3-xxqf",
  "modified": "2026-02-25T17:52:48Z",
  "published": "2026-02-23T06:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2969"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/datapizza-labs/datapizza-ai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacktivesec/datapizza-ai-disclosure/blob/main/ssti.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.347336"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.347336"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.755357"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "datapizza-ai: Server-Side Template Injection in ChatPromptTemplate via Jinja2 Template Handler"
}

GHSA-Q7CX-22M3-64GR

Vulnerability from github – Published: 2025-10-28 18:30 – Updated: 2025-10-29 15:31
VLAI
Details

zhangyd-c OneBlog before 2.3.9 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T18:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "zhangyd-c OneBlog before 2.3.9 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.",
  "id": "GHSA-q7cx-22m3-64gr",
  "modified": "2025-10-29T15:31:54Z",
  "published": "2025-10-28T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/line2222/vuln/issues/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8GR-QPFG-HV8P

Vulnerability from github – Published: 2024-08-21 21:30 – Updated: 2024-08-21 21:30
VLAI
Details

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-21T21:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.",
  "id": "GHSA-q8gr-qpfg-hv8p",
  "modified": "2024-08-21T21:30:46Z",
  "published": "2024-08-21T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6386"
    },
    {
      "type": "WEB",
      "url": "https://sec.stealthcopter.com/wpml-rce-via-twig-ssti"
    },
    {
      "type": "WEB",
      "url": "https://wpml.org"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9QC-PP5X-MC8C

Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-14 21:01
VLAI
Summary
Improper Neutralization of Special Elements Used in a Template Engine in microweber
Details

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "microweber/microweber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-10T21:46:29Z",
    "nvd_published_at": "2022-03-09T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.",
  "id": "GHSA-q9qc-pp5x-mc8c",
  "modified": "2022-03-14T21:01:04Z",
  "published": "2022-03-10T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microweber/microweber/commit/e0224462b3dd6b1f7c6ec1197413afc6019bc3b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microweber/microweber"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/113056f1-7a78-4205-9f42-940ad41d8df0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of Special Elements Used in a Template Engine in microweber"
}

GHSA-QC86-Q28F-GGWW

Vulnerability from github – Published: 2026-03-03 21:06 – Updated: 2026-03-04 18:39
VLAI
Summary
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
Details

For this to work, the attacker must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment.

https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

Alternatively, they can have a non-administrator account with allowAdminChanges disabled, but they must have access to the System Messages utility.

It is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.

Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.

References:

https://github.com/craftcms/cms/pull/18208

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:06:41Z",
    "nvd_published_at": "2026-03-04T17:16:21Z",
    "severity": "MODERATE"
  },
  "details": "For this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS\u0027 recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/pull/18208",
  "id": "GHSA-qc86-q28f-ggww",
  "modified": "2026-03-04T18:39:16Z",
  "published": "2026-03-03T21:06:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/pull/18208"
    },
    {
      "type": "WEB",
      "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS has potential authenticated Remote Code Execution via Twig SSTI"
}

GHSA-QF7Q-96XW-2XGH

Vulnerability from github – Published: 2025-02-21 12:32 – Updated: 2025-02-21 12:32
VLAI
Details

Report generation functionality in Wyn Enterprise allows for code inclusion, but not sufficiently limits what code might be included. An attacker is able use a low privileges account in order to abuse this functionality and execute malicious code, load DLL libraries and executing OS commands on a host system with applications high privileges. This issue has been fixed in version 8.0.00204.0

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-21T12:15:30Z",
    "severity": "HIGH"
  },
  "details": "Report generation functionality in Wyn Enterprise allows for code inclusion, but not sufficiently limits what code might be included. An attacker is able use a low privileges account in order to abuse this functionality and execute malicious code, load DLL libraries and executing OS commands on a host system with applications high privileges.\nThis issue has been fixed in version\u00a08.0.00204.0",
  "id": "GHSA-qf7q-96xw-2xgh",
  "modified": "2025-02-21T12:32:13Z",
  "published": "2025-02-21T12:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9150"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/02/CVE-2024-9150"
    },
    {
      "type": "WEB",
      "url": "https://efigo.pl/blog/cve-2024-9150"
    },
    {
      "type": "WEB",
      "url": "https://www.wynenterprise.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QP6F-W4R3-H8WG

Vulnerability from github – Published: 2026-03-27 22:19 – Updated: 2026-03-31 18:50
VLAI
Summary
Zebra node crash — V5 transaction hash panic (P2P reachable)
Details

Remote Denial of Service via Crafted V5 Transactions

Summary

A vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation.

Severity

Critical - This is a Remote Denial of Service (DoS) that requires no authentication and can be triggered by a single network message.

Affected Versions

All Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to version 4.3.0.

Description

The vulnerability stems from Zebra lazily validating transaction fields that are eagerly validated in the librustzcash parsing logic used when Zebra computes transaction ids and auth digests for V5 transactions where Zebra panics if those computations fail.

PushTransaction messages with malformed V5 transactions are successfully deserialized as the zebra-chain Transaction type by the network codec, but when Zebra converts those transactions into internal types to compute the TxID expecting it to succeed, it triggers a panic/crash.

An attacker can trigger this crash by sending a single crafted tx message to a Zebra node's public P2P port. The same issue can be triggered via the sendrawtransaction RPC method.

Impact

Remote Denial of Service * Attack Vector: Remote, unauthenticated. * Effect: Immediate crash of the Zebra node. * Scope: Any node with an open P2P port (default 8233) or exposed RPC interface is vulnerable.

Fixed Versions

This issue is fixed in Zebra 4.3.0.

The fix ensures that any transaction that would fail TxID calculation is rejected during the initial deserialization phase, and replaces internal panics with graceful error handling.

Mitigation

Users should upgrade to Zebra 4.3.0 or later immediately.

If an immediate upgrade is not possible, users should ensure their RPC port is not exposed to the Internet. However, the P2P port must remain closed or restricted to trusted peers to fully mitigate the risk, which may impact the node's ability to sync with the network.

Credits

Zebra thanks robustfengbin, who discovered this issue and reported it via coordinated disclosure process.


Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-chain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T22:19:24Z",
    "nvd_published_at": "2026-03-31T15:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "---\n\n# Remote Denial of Service via Crafted V5 Transactions\n\n## Summary\nA vulnerability in Zebra\u0027s transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation.\n\n## Severity\n**Critical** - This is a Remote Denial of Service (DoS) that requires no authentication and can be triggered by a single network message.\n\n## Affected Versions\nAll Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to **version 4.3.0**.\n\n## Description\nThe vulnerability stems from Zebra lazily validating transaction fields that are eagerly validated in the librustzcash parsing logic used when Zebra computes transaction ids and auth digests for V5 transactions where Zebra panics if those computations fail.\n\n`PushTransaction` messages with malformed V5 transactions are successfully deserialized as the zebra-chain `Transaction` type by the network codec, but when Zebra converts those transactions into internal types to compute the TxID expecting it to succeed, it triggers a panic/crash.\n\nAn attacker can trigger this crash by sending a single crafted `tx` message to a Zebra node\u0027s public P2P port. The same issue can be triggered via the `sendrawtransaction` RPC method.\n\n## Impact\n**Remote Denial of Service**\n* **Attack Vector:** Remote, unauthenticated.\n* **Effect:** Immediate crash of the Zebra node.\n* **Scope:** Any node with an open P2P port (default 8233) or exposed RPC interface is vulnerable.\n\n## Fixed Versions\nThis issue is fixed in **Zebra 4.3.0**. \n\nThe fix ensures that any transaction that would fail TxID calculation is rejected during the initial deserialization phase, and replaces internal panics with graceful error handling.\n\n## Mitigation\nUsers should upgrade to **Zebra 4.3.0** or later immediately. \n\nIf an immediate upgrade is not possible, users should ensure their RPC port is not exposed to the Internet. However, the P2P port must remain closed or restricted to trusted peers to fully mitigate the risk, which may impact the node\u0027s ability to sync with the network.\n\n## Credits\nZebra thanks [robustfengbin](https://github.com/robustfengbin), who discovered this issue and reported it via coordinated disclosure process.\n\n---",
  "id": "GHSA-qp6f-w4r3-h8wg",
  "modified": "2026-03-31T18:50:56Z",
  "published": "2026-03-27T22:19:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34202"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0"
    },
    {
      "type": "WEB",
      "url": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zebra node crash \u2014 V5 transaction hash panic (P2P reachable)"
}

GHSA-R229-5WGF-F28G

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 20:41
VLAI
Summary
Aim Improper Access Control
Details

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution. The vulnerability arises because str.format_map() can read arbitrary attributes of Python objects, enabling attackers to access sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format_map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "last_affected": "3.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T20:41:28Z",
    "nvd_published_at": "2025-03-20T10:15:41Z",
    "severity": "MODERATE"
  },
  "details": "In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution. The vulnerability arises because str.format_map() can read arbitrary attributes of Python objects, enabling attackers to access sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format_map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution.",
  "id": "GHSA-r229-5wgf-f28g",
  "modified": "2025-03-20T20:41:28Z",
  "published": "2025-03-20T12:32:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aimhubio/aim"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimhubio/aim/blob/main/aim/storage/query.py#L45"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4e140ef9-f6d1-4e68-a44c-3b9e856924d3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Aim Improper Access Control"
}

GHSA-R385-C5FC-X56C

Vulnerability from github – Published: 2025-02-10 21:31 – Updated: 2025-12-18 15:30
VLAI
Summary
CouchAuth has a Server-Side Template Injection vulnerability in its email functionality
Details

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@perfood/couch-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-18T15:30:17Z",
    "nvd_published_at": "2025-02-10T20:15:41Z",
    "severity": "MODERATE"
  },
  "details": "A host header injection vulnerability exists in the NPM package of perfood/couch-auth \u003c= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information.",
  "id": "GHSA-r385-c5fc-x56c",
  "modified": "2025-12-18T15:30:18Z",
  "published": "2025-02-10T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57177"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/perfood/couch-auth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/waristea/cve-research/tree/main/CVE-2024-57177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CouchAuth has a Server-Side Template Injection vulnerability in its email functionality"
}

Mitigation
Architecture and Design

Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.

Mitigation
Implementation

Use the template engine's sandbox or restricted mode, if available.

No CAPEC attack patterns related to this CWE.