CWE-1336
AllowedImproper Neutralization of Special Elements Used in a Template Engine
Abstraction: Base · Status: Incomplete
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
312 vulnerabilities reference this CWE, most recent first.
GHSA-XQMJ-J6MV-4862
Vulnerability from github – Published: 2026-04-24 16:02 – Updated: 2026-05-12 13:27Impact
The POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.
The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host.
Proxy deployments running an affected version are in scope.
Patches
The issue is fixed in 1.83.7-stable. The fix switches the prompt template renderer to a sandboxed environment that blocks the attributes this attack relies on.
LiteLLM recommends upgrading to 1.83.7-stable or later.
Workarounds
If upgrading is not immediately possible:
- Block
POST /prompts/testat your reverse proxy or API gateway. - Review and rotate API keys that should not have access to prompt management routes.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litellm"
},
"ranges": [
{
"events": [
{
"introduced": "1.80.5"
},
{
"fixed": "1.83.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42203"
],
"database_specific": {
"cwe_ids": [
"CWE-1336"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T16:02:42Z",
"nvd_published_at": "2026-05-08T04:16:19Z",
"severity": "HIGH"
},
"details": "### Impact\nThe `POST /prompts/test` endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.\n\nThe endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host.\n\nProxy deployments running an affected version are in scope.\n\n### Patches\nThe issue is fixed in **`1.83.7-stable`**. The fix switches the prompt template renderer to a sandboxed environment that blocks the attributes this attack relies on.\n\nLiteLLM recommends upgrading to `1.83.7-stable` or later.\n\n### Workarounds\nIf upgrading is not immediately possible:\n\n1. Block `POST /prompts/test` at your reverse proxy or API gateway.\n2. Review and rotate API keys that should not have access to prompt management routes.",
"id": "GHSA-xqmj-j6mv-4862",
"modified": "2026-05-12T13:27:01Z",
"published": "2026-04-24T16:02:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42203"
},
{
"type": "PACKAGE",
"url": "https://github.com/BerriAI/litellm"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiteLLM: Server-Side Template Injection in /prompts/test endpoint"
}
GHSA-XRH7-2GFQ-4RCQ
Vulnerability from github – Published: 2024-07-17 21:31 – Updated: 2024-12-18 22:03A Server-Side Template Injection (SSTI) vulnerability in the Theme Editor Function of openCart project v4.0.2.3 allows attackers to execute arbitrary code via injecting a crafted payload.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "opencart/opencart"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.0.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36694"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-17T23:36:49Z",
"nvd_published_at": "2024-07-17T19:15:11Z",
"severity": "MODERATE"
},
"details": "A Server-Side Template Injection (SSTI) vulnerability in the Theme Editor Function of openCart project v4.0.2.3 allows attackers to execute arbitrary code via injecting a crafted payload.",
"id": "GHSA-xrh7-2gfq-4rcq",
"modified": "2024-12-18T22:03:16Z",
"published": "2024-07-17T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36694"
},
{
"type": "WEB",
"url": "https://github.com/opencart/opencart/issues/13863"
},
{
"type": "WEB",
"url": "https://github.com/A3h1nt/CVEs/blob/main/OpenCart/Readme.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencart/opencart"
},
{
"type": "WEB",
"url": "https://github.com/opencart/opencart/releases/tag/4.0.2.3"
},
{
"type": "WEB",
"url": "https://medium.com/@pawarit.sanguanpang/opencart-v4-0-2-3-server-side-template-injection-0b173a3bdcf9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "openCart Server-Side Template Injection (SSTI) vulnerability"
}
Mitigation
Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
Mitigation
Use the template engine's sandbox or restricted mode, if available.
No CAPEC attack patterns related to this CWE.