Common Weakness Enumeration

CWE-1336

Allowed

Improper Neutralization of Special Elements Used in a Template Engine

Abstraction: Base · Status: Incomplete

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

312 vulnerabilities reference this CWE, most recent first.

GHSA-W2HG-2V4P-VMH6

Vulnerability from github – Published: 2025-10-02 21:21 – Updated: 2026-01-16 22:03
VLAI
Summary
Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns
Details

Impact

In LXD's instance snapshot creation functionality, the Pongo2 template engine is used in the snapshots.pattern configuration for generating snapshot names. While code execution functionality has not been found in this template engine, it has file reading capabilities, creating a vulnerability that allows arbitrary file reading through template injection attacks.

Reproduction Steps

  1. Log in to LXD-UI with an account that has permissions to modify instance settings
  2. Set the following template injection payload in the instance snapshot pattern:
{% filter urlencode|slice:":100" %}{% include "/etc/passwd" %}{%endfilter %}

Note that the above template uses the Pongo2 template engine's include tag to read system files. It also uses urlencode and slice filters to bypass character count and type restrictions.

  1. Set scheduled snapshots to run every minute and wait for snapshot generation
  2. Wait about a minute and confirm that file contents can be obtained from the created snapshot name

Risk

The attack requires having configuration change permissions for LXD instances. The attack allows reading arbitrary files accessible with LXD process permissions. This could lead to leakage of the following information: -​ LXD host configuration files (/etc/passwd, /etc/shadow, etc.) -​ LXD database files (containing information about all projects and instances) -​ Configuration files and data of other instances -​ Sensitive information on the host system

Countermeasures

Pongo2 provides mechanisms for sandboxing templates.

Template sandboxing (directory patterns, banned tags/filters) ( https://github.com/flosch/pongo2/tree/master?tab=readme-ov-file#features )

This functionality allows banning specific tags and filters by generating a custom TemplateSet.

At minimum, the following tags are considered to pose a risk of file leakage on the LXD host when used. Therefore, banning these can provide countermeasures against file reading attacks. -​ include -​ ssi -​ extends -​ import

The deny-list approach is prone to vulnerability recurrence due to missed countermeasures or new feature additions. Therefore, as the safest approach, we recommend using an allow-list format to permit only necessary functions.

However, as far as our investigation shows, pongo2 does not have functionality to retrieve a list of registered tags or filters, nor does it provide means to implement an allow-list approach. Therefore, it is necessary to either forcibly obtain the registration list through reflection and ban anything not on the allow-list, or ban everything from the current implemented list since the library has not been updated for about two years.

In LXD's implementation, template injection attacks can be prevented by modifying the RenderTemplate function in shared/util.go to use a restricted TemplateSet as shown above.

Patches

LXD Series Status
6 Fixed in LXD 6.5
5.21 Fixed in LXD 5.21.4
5.0 Ignored - Not critical
4.0 Ignored - EOL and not critical

References

Reported by GMO Flatt Security Inc.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20200331193331-03aab09f5b5c"
            },
            {
              "fixed": "0.0.0-20250827065555-0494f5d47e41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-02T21:21:33Z",
    "nvd_published_at": "2025-10-02T10:15:38Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn LXD\u0027s instance snapshot creation functionality, the Pongo2 template engine is used in the `snapshots.pattern` configuration for generating snapshot names. While code execution functionality has not been found in this template engine, it has file reading capabilities, creating a vulnerability that allows arbitrary file reading through template injection attacks.\n\n### Reproduction Steps\n\n1. Log in to LXD-UI with an account that has permissions to modify instance settings\n2. Set the following template injection payload in the instance snapshot pattern:\n\n```\n{% filter urlencode|slice:\":100\" %}{% include \"/etc/passwd\" %}{%endfilter %}\n```\n\nNote that the above template uses the Pongo2 template engine\u0027s include tag to read system files. It also uses urlencode and slice filters to bypass character count and type restrictions.\n\n3. Set scheduled snapshots to run every minute and wait for snapshot generation\n4. Wait about a minute and confirm that file contents can be obtained from the created snapshot name\n\n### Risk\nThe attack requires having configuration change permissions for LXD instances.\nThe attack allows reading arbitrary files accessible with LXD process permissions. This could lead to leakage of the following information:\n-\u200b LXD host configuration files (/etc/passwd, /etc/shadow, etc.)\n-\u200b LXD database files (containing information about all projects and instances)\n-\u200b Configuration files and data of other instances\n-\u200b Sensitive information on the host system\n\n### Countermeasures\nPongo2 provides mechanisms for sandboxing templates.\n\n\u003e Template sandboxing (directory patterns, banned tags/filters)\n( https://github.com/flosch/pongo2/tree/master?tab=readme-ov-file#features )\n\nThis functionality allows banning specific tags and filters by generating a custom TemplateSet.\n\nAt minimum, the following tags are considered to pose a risk of file leakage on the LXD host when used. Therefore, banning these can provide countermeasures against file reading attacks.\n-\u200b include\n-\u200b ssi\n-\u200b extends\n-\u200b import\n\nThe deny-list approach is prone to vulnerability recurrence due to missed countermeasures or new feature additions. Therefore, as the safest approach, we recommend using an allow-list format to permit only necessary functions.\n\nHowever, as far as our investigation shows, pongo2 does not have functionality to retrieve a list of registered tags or filters, nor does it provide means to implement an allow-list approach. Therefore, it is necessary to either forcibly obtain the registration list through reflection and ban anything not on the allow-list, or ban everything from the current implemented list since the library has not been updated for about two years.\n\nIn LXD\u0027s implementation, template injection attacks can be prevented by modifying the `RenderTemplate` function in `shared/util.go` to use a restricted `TemplateSet` as shown above.\n\n### Patches\n\n| LXD Series  | Status |\n| ------------- | ------------- |\n| 6 | Fixed in LXD 6.5  |\n| 5.21 | Fixed in LXD 5.21.4  |\n| 5.0 | Ignored - Not critical  |\n| 4.0  | Ignored - EOL and not critical |\n\n### References\nReported by GMO Flatt Security Inc.",
  "id": "GHSA-w2hg-2v4p-vmh6",
  "modified": "2026-01-16T22:03:02Z",
  "published": "2025-10-02T21:21:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54287"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/lxd"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns"
}

GHSA-WC7F-VVJ8-28M9

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-18 18:31
VLAI
Details

SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T14:16:46Z",
    "severity": "HIGH"
  },
  "details": "SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint\u00a0accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins.",
  "id": "GHSA-wc7f-vvj8-28m9",
  "modified": "2026-05-18T18:31:24Z",
  "published": "2026-05-08T15:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44129"
    },
    {
      "type": "WEB",
      "url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security"
    },
    {
      "type": "WEB",
      "url": "https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WHR7-M3F8-MPM8

Vulnerability from github – Published: 2023-06-16 19:37 – Updated: 2023-06-16 19:37
VLAI
Summary
Grav Server-side Template Injection (SSTI) via Twig Default Filters
Details

Hi,

actually we have sent the bug report to security@getgrav.org on 27th March 2023 and on 10th April 2023.

Grav Server-side Template Injection (SSTI) via Twig Default Filters

Summary:

Product Grav CMS
Vendor Grav
Severity High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution
Affected Versions <= v1.7.40 (Commit 685d762) (Latest version as of writing)
Tested Versions v1.7.40
Internal Identifier STAR-2023-0008
CVE Identifier TBD
CWE(s) CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

CVSS3.1 Scoring System:

Base Score: 7.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
| Metric | Value | | ---------------------------- | --------- | | Attack Vector (AV) | Network | | Attack Complexity (AC) | Low | | Privileges Required (PR) | High | | User Interaction (UI) | None | | Scope (S) | Unchanged | | Confidentiality (C) | High | | Integrity (I) | High | | Availability (A) | High |

Product Overview:

Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.

Vulnerability Summary:

The patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default filter() function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution.

Vulnerability Details:

Twig comes with an extension known as the Core Extension that is enabled by default when initialising a new Twig environment. Twig's Core Extension provides multiple built-in filters, such as the filter() function, which can be used in Twig templates.

CVE-2022-2073 leverages the default filter() filter function in Twig to invoke arbitrary unsafe functions. This was patched by overriding the default filter() filter function in commit 9d6a2d of Grav v1.7.34 to perform validation checks on the arguments passed to filter(): ~~~diff php ... class GravExtension extends AbstractExtension implements GlobalsInterface { ... public function getFilters(): array { return [ ... // Security fix + new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), ]; }

...
  • /**
    • @param Environment $env
    • @param array $array
    • @param callable|string $arrow
    • @return array|CallbackFilterIterator
    • @throws RuntimeError
  • */
  • function filterFilter(Environment $env, $array, $arrow)
  • {
  • if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
  • throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
  • } +
  • return \twig_array_filter($env, $array, $arrow);
  • } }

However, looking at the source code of [/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) of Twig, alternative default Twig filters could also be used invoke arbitrary functions:
~~~php
...
class CoreExtension extends AbstractExtension
{
    ...
    public function getFilters(): array
    {
        return [
            ...
            // array helpers
            ...
            new TwigFilter('filter', 'twig_array_filter', ['needs_environment' => true]), // unsafe
            new TwigFilter('map', 'twig_array_map', ['needs_environment' => true]), // unsafe
            new TwigFilter('reduce', 'twig_array_reduce', ['needs_environment' => true]), // unsafe
        ];
    }

The three filter functions above respectively call array_filter(), array_map() and array_reduce(). Since only filter() is being overriden by Grav to ensure that the callable passed to filter() does not result in the invocation of an unsafe function, the other two functions (i.e. map() and reduce()) could be used by an authenticated attacker that is able to inject and render malicious templates to gain remote code execution.

Exploit Conditions:

This vulnerability can be exploited if the attacker has access to: 1. an administrator account, or 2. a non-administrator, user account that are granted the following permissions: - login access to Grav admin panel, and - page creation or update rights

Reproduction Steps:

  1. Log in to Grav Admin using an administrator account.
  2. Navigate to Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:
    • Login to Admin - Allowed
    • Page Update - Allowed
  3. Log out of Grav Admin, and log back in using the account created in step 2.
  4. Navigate to http://<grav_installation>/admin/pages/home.
  5. Click the Advanced tab and select the checkbox beside Twig to ensure that Twig processing is enabled for the modified webpage.
  6. Under the Content tab, insert the following payload within the editor: ~~~twig {{ ['id'] | map('system') }} {{ ['id'] | reduce('system') }} ~~~
  7. Click the Preview button. Observe that the output of the id shell command is returned in the preview.

Suggested Mitigations:

Override the built-in Twig map() and reduce() filter functions in system/src/Grav/Common/Twig/Extension/GravExtension.php to validate the argument passed to the filter in $arrow.

For example:

...
class GravExtension extends AbstractExtension implements GlobalsInterface
{
    ...
    public function getFilters(): array
    {
        return [
            ...
            // Security fix
            new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),
+           new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),
+           new TwigFilter('reduce', [$this, 'reduceFilter'], ['needs_environment' => true]),
        ];
    }

    ...
+   /**
+    * @param Environment $env
+    * @param array $array
+    * @param callable|string $arrow
+    * @return array|CallbackFilterIterator
+    * @throws RuntimeError
+    */
+   function mapFilter(Environment $env, $array, $arrow)
+   {
+       if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
+           throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
+       }
+
+       return \twig_array_map($env, $array, $arrow);
+   }
+ 
+   /**
+    * @param Environment $env
+    * @param array $array
+    * @param callable|string $arrow
+    * @return array|CallbackFilterIterator
+    * @throws RuntimeError
+    */
+   function reduceFilter(Environment $env, $array, $arrow)
+   {
+       if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
+           throw new RuntimeError('Twig |reduce("' . $arrow . '") is not allowed.');
+       }
+
+       return \twig_array_reduce($env, $array, $arrow);
+   }
}

Detection Guidance:

The following strategies may be used to detect potential exploitation attempts. 1. Searching within Markdown pages using the following shell command:
grep -Priz -e '\|\s*(map|reduce)\s*\(' /path/to/webroot/user/pages/ 2. Searching within Doctrine cache data using the following shell command:
grep -Priz -e '\|\s*(map|reduce)\s*\(' --include '*.doctrinecache.data' /path/to/webroot/cache/ 3. Searching within Twig cache using the following shell command:
grep -Priz -e 'twig_array_(map|reduce)' /path/to/webroot/cache/twig/ 4. Searching within compiled Twig template files using the following shell command:
grep -Priz -e '\|\s*(map|reduce)\s*\(' /path/to/webroot/cache/compiled/files/

Note that it is not possible to detect indicators of compromise reliably using the Grav log file (located at /path/to/webroot/logs/grav.log by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.

Credits:

Ngo Wei Lin (@Creastery) & Wang Hengyue (@w_hy_04) of STAR Labs SG Pte. Ltd. (@starlabs_sg)

Vulnerability Disclosure:

This vulnerability report is subject to a 120 day disclosure deadline as per STAR Labs SG Pte. Ltd.'s Vulnerability Disclosure Policy. After 120 days have elapsed, the vulnerability report will be published to the public by STAR Labs SG Pte. Ltd. (STAR Labs).

The scheduled disclosure date is 25th July, 2023. Disclosure at an earlier date is also possible if agreed upon by all parties.

Kindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:
1. CVE-2023-30596 Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in GravExtension.filterFilter() and to achieve remote code execution via Twig's default filters map() and reduce(). This is a bypass of CVE-2022-2073.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-16T19:37:08Z",
    "nvd_published_at": "2023-06-14T23:15:11Z",
    "severity": "HIGH"
  },
  "details": "Hi,\n\nactually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023.\n\n# Grav Server-side Template Injection (SSTI) via Twig Default Filters\n\n## Summary:  \n| **Product**             | Grav CMS                                      |\n| ----------------------- | --------------------------------------------- |\n| **Vendor**              | Grav                                          |\n| **Severity**            | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |\n| **Affected Versions**   | \u003c= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) |\n| **Tested Versions**     | v1.7.40                                       |\n| **Internal Identifier** | STAR-2023-0008                                |\n| **CVE Identifier**      | TBD                                           |\n| **CWE(s)**              | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |\n\n## CVSS3.1 Scoring System:  \n**Base Score:** 7.2 (High)  \n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`  \n| **Metric**                   | **Value** |\n| ---------------------------- | --------- |\n| **Attack Vector (AV)**       | Network   |\n| **Attack Complexity (AC)**   | Low       |\n| **Privileges Required (PR)** | High      |\n| **User Interaction (UI)**    | None      |\n| **Scope (S)**                | Unchanged |\n| **Confidentiality \\(C)**     | High      |\n| **Integrity (I)**            | High      |\n| **Availability (A)**         | High      |\n\n## Product Overview:  \nGrav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.\n\n## Vulnerability Summary:  \nThe patch for [CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/), a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution.\n\n## Vulnerability Details:  \nTwig comes with an extension known as the [Core Extension](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) that is enabled by default when initialising a new [Twig environment](https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148). Twig\u0027s Core Extension provides multiple built-in filters, such as the `filter()` function, which can be used in Twig templates. \n\n[CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/) leverages the default `filter()` filter function in Twig to invoke arbitrary unsafe functions. This was patched by overriding the default `filter()` filter function in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) of Grav v1.7.34 to perform validation checks on the arguments passed to `filter()`:\n~~~diff php\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n    ...\n    public function getFilters(): array\n    {\n        return [\n            ...\n            // Security fix\n+           new TwigFilter(\u0027filter\u0027, [$this, \u0027filterFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n        ];\n    }\n    \n    ...\n\n+   /**\n+    * @param Environment $env\n+    * @param array $array\n+    * @param callable|string $arrow\n+    * @return array|CallbackFilterIterator\n+    * @throws RuntimeError\n+    */\n+   function filterFilter(Environment $env, $array, $arrow)\n+   {\n+       if (is_string($arrow) \u0026\u0026 Utils::isDangerousFunction($arrow)) {\n+           throw new RuntimeError(\u0027Twig |filter(\"\u0027 . $arrow . \u0027\") is not allowed.\u0027);\n+       }\n+\n+       return \\twig_array_filter($env, $array, $arrow);\n+   }\n}\n~~~\n\nHowever, looking at the source code of [/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) of Twig, alternative default Twig filters could also be used invoke arbitrary functions:\n~~~php\n...\nclass CoreExtension extends AbstractExtension\n{\n    ...\n    public function getFilters(): array\n    {\n        return [\n            ...\n            // array helpers\n            ...\n            new TwigFilter(\u0027filter\u0027, \u0027twig_array_filter\u0027, [\u0027needs_environment\u0027 =\u003e true]), // unsafe\n            new TwigFilter(\u0027map\u0027, \u0027twig_array_map\u0027, [\u0027needs_environment\u0027 =\u003e true]), // unsafe\n            new TwigFilter(\u0027reduce\u0027, \u0027twig_array_reduce\u0027, [\u0027needs_environment\u0027 =\u003e true]), // unsafe\n        ];\n    }\n~~~\n\nThe three filter functions above respectively call `array_filter()`, `array_map()` and `array_reduce()`. Since only `filter()` is being overriden by Grav to ensure that the callable passed to `filter()` does not result in the invocation of an unsafe function, the other two functions (i.e. `map()` and `reduce()`) could be used by an authenticated attacker that is able to inject and render malicious templates to gain remote code execution.\n\n## Exploit Conditions:    \nThis vulnerability can be exploited if the attacker has access to:\n1. an administrator account, or\n2. a non-administrator, user account that are granted the following permissions:\n    - login access to Grav admin panel, and\n    - page creation or update rights\n\n## Reproduction Steps:  \n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts \u003e Add`, and ensure that the following permissions are assigned when creating a new low-privileged user:\n    * Login to Admin - Allowed\n    * Page Update - Allowed\n2. Log out of Grav Admin, and log back in using the account created in step 2.\n3. Navigate to `http://\u003cgrav_installation\u003e/admin/pages/home`.\n4. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n5. Under the `Content` tab, insert the following payload within the editor:\n   ~~~twig\n   {{ [\u0027id\u0027] | map(\u0027system\u0027) }}\n   {{ [\u0027id\u0027] | reduce(\u0027system\u0027) }}\n   ~~~\n4. Click the Preview button. Observe that the output of the `id` shell command is returned in the preview.\n\n## Suggested Mitigations:  \nOverride the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.\n\nFor example:\n~~~diff\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n    ...\n    public function getFilters(): array\n    {\n        return [\n            ...\n            // Security fix\n            new TwigFilter(\u0027filter\u0027, [$this, \u0027filterFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+           new TwigFilter(\u0027map\u0027, [$this, \u0027mapFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+           new TwigFilter(\u0027reduce\u0027, [$this, \u0027reduceFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n        ];\n    }\n\n    ...\n+   /**\n+    * @param Environment $env\n+    * @param array $array\n+    * @param callable|string $arrow\n+    * @return array|CallbackFilterIterator\n+    * @throws RuntimeError\n+    */\n+   function mapFilter(Environment $env, $array, $arrow)\n+   {\n+       if (!$arrow instanceof Closure \u0026\u0026 !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n+           throw new RuntimeError(\u0027Twig |map(\"\u0027 . $arrow . \u0027\") is not allowed.\u0027);\n+       }\n+\n+       return \\twig_array_map($env, $array, $arrow);\n+   }\n+ \n+   /**\n+    * @param Environment $env\n+    * @param array $array\n+    * @param callable|string $arrow\n+    * @return array|CallbackFilterIterator\n+    * @throws RuntimeError\n+    */\n+   function reduceFilter(Environment $env, $array, $arrow)\n+   {\n+       if (!$arrow instanceof Closure \u0026\u0026 !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n+           throw new RuntimeError(\u0027Twig |reduce(\"\u0027 . $arrow . \u0027\") is not allowed.\u0027);\n+       }\n+\n+       return \\twig_array_reduce($env, $array, $arrow);\n+   }\n}\n~~~\n\n## Detection Guidance:  \nThe following strategies may be used to detect potential exploitation attempts.\n1. Searching within Markdown pages using the following shell command:  \n   `grep -Priz -e \u0027\\|\\s*(map|reduce)\\s*\\(\u0027 /path/to/webroot/user/pages/`\n2. Searching within Doctrine cache data using the following shell command:  \n   `grep -Priz -e \u0027\\|\\s*(map|reduce)\\s*\\(\u0027  --include \u0027*.doctrinecache.data\u0027 /path/to/webroot/cache/`\n3. Searching within Twig cache using the following shell command:  \n   `grep -Priz -e \u0027twig_array_(map|reduce)\u0027 /path/to/webroot/cache/twig/`\n4. Searching within compiled Twig template files using the following shell command:  \n   `grep -Priz -e \u0027\\|\\s*(map|reduce)\\s*\\(\u0027 /path/to/webroot/cache/compiled/files/`\n\nNote that it is not possible to detect indicators of compromise reliably using the Grav log file (located at `/path/to/webroot/logs/grav.log` by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.\n\n## Credits:  \nNgo Wei Lin ([@Creastery](https://twitter.com/Creastery)) \u0026 Wang Hengyue ([@w_hy_04](https://twitter.com/w_hy_04)) of STAR Labs SG Pte. Ltd. ([@starlabs_sg](https://twitter.com/starlabs_sg))\n\n## Vulnerability Disclosure:  \nThis vulnerability report is subject to a 120 day disclosure deadline as per [STAR Labs SG Pte. Ltd.\u0027s Vulnerability Disclosure Policy](https://starlabs.sg/advisories/STAR%20Labs%20SG%20Pte.%20Ltd.%20Vulnerability%20Disclosure%20Policy.pdf). After 120 days have elapsed, the vulnerability report will be published to the public by [STAR Labs SG Pte. Ltd.](https://starlabs.sg/) (STAR Labs).  \n\nThe scheduled disclosure date is _**25th July, 2023**_. Disclosure at an earlier date is also possible if agreed upon by all parties.  \n\nKindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:  \n1. **CVE-2023-30596**\n    Server-side Template Injection (SSTI) in getgrav/grav \u003c= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `GravExtension.filterFilter()` and to achieve remote code execution via Twig\u0027s default filters `map()` and `reduce()`. This is a bypass of CVE-2022-2073.\n",
  "id": "GHSA-whr7-m3f8-mpm8",
  "modified": "2023-06-16T19:37:08Z",
  "published": "2023-06-16T19:37:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66"
    },
    {
      "type": "WEB",
      "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Server-side Template Injection (SSTI) via Twig Default Filters"
}

GHSA-WJ7R-P6PM-XX2R

Vulnerability from github – Published: 2024-06-17 15:30 – Updated: 2024-08-01 15:31
VLAI
Details

StrongShop v1.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the component /shippingOptionConfig/index.blade.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-97"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-17T14:15:11Z",
    "severity": "HIGH"
  },
  "details": "StrongShop v1.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the component /shippingOptionConfig/index.blade.php.",
  "id": "GHSA-wj7r-p6pm-xx2r",
  "modified": "2024-08-01T15:31:49Z",
  "published": "2024-06-17T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Hebing123/cve/issues/47"
    },
    {
      "type": "WEB",
      "url": "https://www.strongshop.cn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJW6-95H5-4JPX

Vulnerability from github – Published: 2025-06-10 20:17 – Updated: 2026-06-08 20:18
VLAI
Summary
Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating
Details

Impact

What kind of vulnerability is it? Who is impacted?

All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected.

Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot:

  1. A malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered.
  2. A malicious user could configure this feature set in ways that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user.

Patches

Has the problem been patched? What versions should users upgrade to?

Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

The vulnerability can be partially mitigated by configuring object permissions appropriately to limit the below actions to only trusted users:

  • extras.add_secret
  • extras.change_secret
  • extras.view_secret
  • extras.add_computedfield
  • extras.change_computedfield
  • extras.add_customlink
  • extras.change_customlink
  • extras.add_jobbutton
  • extras.change_jobbutton

References

Are there any links users can visit to find out more?

  • https://jinja.palletsprojects.com/en/stable/sandbox/
  • https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description
  • https://github.com/nautobot/nautobot/pull/7417
  • https://github.com/nautobot/nautobot/pull/7429
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T20:17:15Z",
    "nvd_published_at": "2025-06-10T16:15:42Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAll users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected.\n\nDue to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot:\n\n1. A malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered.\n2. A malicious user could configure this feature set in ways that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nNautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThe vulnerability can be partially mitigated by configuring object permissions appropriately to limit the below actions to only trusted users:\n\n- `extras.add_secret`\n- `extras.change_secret`\n- `extras.view_secret`\n- `extras.add_computedfield`\n- `extras.change_computedfield`\n- `extras.add_customlink`\n- `extras.change_customlink`\n- `extras.add_jobbutton`\n- `extras.change_jobbutton`\n\n### References\n_Are there any links users can visit to find out more?_\n\n- https://jinja.palletsprojects.com/en/stable/sandbox/\n- https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description\n- https://github.com/nautobot/nautobot/pull/7417\n- https://github.com/nautobot/nautobot/pull/7429",
  "id": "GHSA-wjw6-95h5-4jpx",
  "modified": "2026-06-08T20:18:22Z",
  "published": "2025-06-10T20:17:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/7417"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/7429"
    },
    {
      "type": "WEB",
      "url": "https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nautobot/nautobot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2025-74.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2025-79.yaml"
    },
    {
      "type": "WEB",
      "url": "https://jinja.palletsprojects.com/en/stable/sandbox"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating"
}

GHSA-WQC2-GWGP-9P7W

Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 21:31
VLAI
Details

A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is executed, granting the attacker elevated permissions within the CRM system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T17:15:13Z",
    "severity": "HIGH"
  },
  "details": "A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is executed, granting the attacker elevated permissions within the CRM system.",
  "id": "GHSA-wqc2-gwgp-9p7w",
  "modified": "2024-09-27T21:31:50Z",
  "published": "2024-09-27T18:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46366"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Tommywarren/89cef7f876ee897a4ff40a8b71b6208e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X238-V9F9-93G8

Vulnerability from github – Published: 2025-04-28 15:31 – Updated: 2025-04-28 15:31
VLAI
Details

Dell PowerProtect Data Manager Reporting, version(s) 19.16, 19.17, 19.18, contain(s) an Improper Neutralization of Special Elements Used in a Template Engine vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-28T15:15:45Z",
    "severity": "LOW"
  },
  "details": "Dell PowerProtect Data Manager Reporting, version(s) 19.16, 19.17, 19.18, contain(s) an Improper Neutralization of Special Elements Used in a Template Engine vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure.",
  "id": "GHSA-x238-v9f9-93g8",
  "modified": "2025-04-28T15:31:41Z",
  "published": "2025-04-28T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23376"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000311083/dsa-2025-062-security-update-for-dell-powerprotect-data-manager-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7GR-MMJJ-HX3H

Vulnerability from github – Published: 2024-11-14 18:30 – Updated: 2026-04-01 18:32
VLAI
Details

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.1.15.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-82",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T18:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.1.15.",
  "id": "GHSA-x7gr-mmjj-hx3h",
  "modified": "2026-04-01T18:32:24Z",
  "published": "2024-11-14T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52393"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/podlove-podcasting-plugin-for-wordpress/vulnerability/wordpress-podlove-podcast-publisher-plugin-4-1-15-admin-remote-code-execution-rce-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/podlove-podcasting-plugin-for-wordpress/wordpress-podlove-podcast-publisher-plugin-4-1-15-admin-remote-code-execution-rce-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7M9-MWC2-G6W2

Vulnerability from github – Published: 2026-05-18 17:23 – Updated: 2026-06-09 10:32
VLAI
Summary
Formie: Pre-authenticated server-side template injection in Hidden fields
Details

Impact

  • Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior).
  • Sites with public Formie forms that include at least one Hidden field with that configuration.
  • No CP login for the reported chain.

Patches

Workarounds

  • Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible
  • Otherwise, upgrade to patched versions
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "verbb/formie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-beta.1"
            },
            {
              "fixed": "3.1.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "verbb/formie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-693",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:23:39Z",
    "nvd_published_at": "2026-05-29T20:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n- Unauthenticated users could submit crafted values into Hidden fields (with Default value \u2192 Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior).\n- Sites with public Formie forms that include at least one Hidden field with that configuration.\n- No CP login for the reported chain.\n\n### Patches\n- [2.2.20](https://github.com/verbb/formie/releases/tag/2.2.20), [3.1.24](https://github.com/verbb/formie/releases/tag/3.1.24)\n\n### Workarounds\n- Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible\n- Otherwise, upgrade to patched versions",
  "id": "GHSA-x7m9-mwc2-g6w2",
  "modified": "2026-06-09T10:32:38Z",
  "published": "2026-05-18T17:23:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/verbb/formie"
    },
    {
      "type": "WEB",
      "url": "https://github.com/verbb/formie/releases/tag/2.2.20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/verbb/formie/releases/tag/3.1.24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Formie: Pre-authenticated server-side template injection in Hidden fields"
}

GHSA-XJW8-8C5C-9R79

Vulnerability from github – Published: 2026-04-15 19:46 – Updated: 2026-04-24 20:53
VLAI
Summary
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Details

Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).

Patches

This has been fixed in Thymeleaf 3.1.4.RELEASE.

Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.

Credits

Thanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.thymeleaf:thymeleaf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.thymeleaf:thymeleaf-spring5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.thymeleaf:thymeleaf-spring6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:46:23Z",
    "nvd_published_at": "2026-04-17T22:16:33Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nA security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u0027s protections to achieve Server-Side Template Injection (SSTI).\n\n### Patches\nThis has been fixed in Thymeleaf 3.1.4.RELEASE.\n\n### Workarounds\nNo workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.\n\n### Credits\nThanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.",
  "id": "GHSA-xjw8-8c5c-9r79",
  "modified": "2026-04-24T20:53:26Z",
  "published": "2026-04-15T19:46:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thymeleaf/thymeleaf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf"
}

Mitigation
Architecture and Design

Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.

Mitigation
Implementation

Use the template engine's sandbox or restricted mode, if available.

No CAPEC attack patterns related to this CWE.