Lucene search
K

800 matches found

Nuclei
Nuclei
added yesterday147 views

Nodejs Squirrelly - Remote Code Execution

Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuratio...

8.8CVSS7.4AI score0.59844EPSS
Exploits2
OSV
OSV
added last week3 views

CVE-2026-55575 LiquidJS: `pop` filter bypasses `memoryLimit` accounting that its array-filter siblings enforce

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.27.1, the pop array filter at src/filters/array.ts allocated a full clone of its input array via ...toArrayv without calling this.context.memoryLimit.use..., allowing a template render such as hugearra...

8.2CVSS6.1AI score0.00384EPSS
Exploits0References6
OSV
OSV
added last week2 views

CVE-2026-55760 handlebars.java FileTemplateLoader Path Traversal

Handlebars.java provides logic-less and semantic Mustache templates with Java. Prior to 4.5.2, applications that pass user-controlled input to Handlebars.compile using FileTemplateLoader or ClassPathTemplateLoader are vulnerable to path traversal, allowing arbitrary file read through template nam...

7.5CVSS6.2AI score0.00414EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-310 changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution

Summary A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host. Details changedetection.io version: 0.45.20 docker images REPOSITORY TAG IMAGE ID CREATED SIZE dgtlmoon/changedetection.io latest...

10CVSS7.4AI score0.83722EPSS
Exploits5References8
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-387 LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint

BerriAI/litellm is vulnerable to Server-Side Template Injection SSTI via the /completions endpoint. The vulnerability arises from the hfchattemplate method processing the chattemplate parameter from the tokenizerconfig.json file through the Jinja template engine without proper sanitization...

9.8CVSS7.7AI score0.01256EPSS
Exploits1References9
NVD
NVD
added 2026/06/26 6:16 p.m.10 views

CVE-2026-33646

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not...

9.6CVSS0.00685EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:51 p.m.8 views

CVE-2026-33646

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not...

9.6CVSS6AI score0.00685EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/26 3:45 p.m.7 views

CVE-2026-0685

Server side template inject SSTI in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution RCE via crafted template expressions...

9.8CVSS6.7AI score0.00726EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 3:45 p.m.32 views

CVE-2026-0685

CVE-2026-0685 affects the Genshi Template Engine (version 0.7.9). The SSTI vulnerability arises in the expression evaluation component due to unsafe use of Python’s eval() and exec() with fallback to Python built-ins, enabling arbitrary code execution if an attacker can influence template express...

9.8CVSS6.7AI score0.00726EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 3:45 p.m.6 views

EUVD-2026-39792

Server side template inject SSTI in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution RCE via crafted template expressions...

9.8CVSS6.7AI score0.00726EPSS
Exploits0References1
OSV
OSV
added 2026/06/26 3:45 p.m.2 views

CVE-2026-0685 Server side template inject (SSTI) in Edgewall Genshi Template Engine

Server side template inject SSTI in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution RCE via crafted template expressions...

9.8CVSS6.8AI score0.00726EPSS
Exploits0References4
OSV
OSV
added 2026/06/24 5:38 p.m.4 views

GHSA-7FQ5-7WR8-RJWJ OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination

Summary OliveTin's template engine uses a single shared text/template.Template instance tpl package-level variable in service/internal/tpl/templates.go across all goroutines. Every action execution calls tpl.Parsesource followed by t.Execute on this shared instance with no synchronization. When t...

7.5CVSS6.1AI score0.00401EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50772

Name of the Vulnerable Software and Affected Versions JTL Shop versions 5.2.0 through 5.7.1 Description Unauthenticated attackers can inject malicious template syntax because unsanitized user-supplied input is passed to the Smarty template engine, a tool used to generate dynamic web content. This...

9.8CVSS6.1AI score0.00333EPSS
Exploits1References9
Snyk
Snyk
added 2026/06/17 10:20 p.m.3 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the checkMethodAllowed and checkPropertyAllowed implementations of the custom Twig...

8.6CVSS6AI score0.00623EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 5:16 p.m.11 views

CVE-2026-20220

A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to insufficient input validation in the configuration template engine of the...

6.3CVSS0.00253EPSS
Exploits0References1
CVE
CVE
added 2026/06/17 4:17 p.m.29 views

CVE-2026-20220

Cisco CVE-2026-20220 affects the web-based management interface of Cisco Crosswork Network Controller. The root cause is insufficient input validation in the configuration template engine. An authenticated attacker with write permissions to a template user can send crafted requests to execute arb...

6.3CVSS6.2AI score0.00253EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/17 4:17 p.m.11 views

EUVD-2026-37750

A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to insufficient input validation in the configuration template engine of the...

6.3CVSS6.1AI score0.00253EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/17 4:17 p.m.24 views

CVE-2026-20220 Cisco Crosswork Network Controller Remote Code Execution Vulnerability

A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to insufficient input validation in the configuration template engine of the...

6.3CVSS0.00253EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.23 views

PT-2026-50460

Name of the Vulnerable Software and Affected Versions Cisco Crosswork Network Controller affected versions not specified Description Insufficient input validation in the configuration template engine of the web-based management interface allows an authenticated remote attacker to execute arbitrar...

6.3CVSS6.4AI score0.00253EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/05 7:49 p.m.14 views

CVE-2026-5559

A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function issafeast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may...

6.5CVSS5.7AI score0.00314EPSS
Exploits0References1
Rows per page
Query Builder