Lucene search
K

54 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.10 views

CVE-2026-9558

A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the...

9.9CVSS6.1AI score0.00439EPSS
Exploits0References1
NVD
NVD
added 2026/05/29 11:16 a.m.19 views

CVE-2026-9558

A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the...

9.9CVSS0.00439EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 10:1 a.m.9 views

CVE-2026-9558

A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the...

9.9CVSS6.3AI score0.00439EPSS
Exploits0References2
CVE
CVE
added 2026/05/29 10:1 a.m.34 views

CVE-2026-9558

This CVE describes a Server-Side Template Injection (SSTI) in Mautic’s theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. With authenticated access to create or upload themes, an attacker could execute arbitrary code on the hosting server...

9.9CVSS6.3AI score0.00439EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.16 views

PT-2026-44802

Name of the Vulnerable Software and Affected Versions Mautic affected versions not specified Description A Server-Side Template Injection SSTI issue exists in the theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with...

9.9CVSS6.3AI score0.00439EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.10 views

Mautic 安全漏洞

Mautic is an open-source marketing automation software developed by Mautic. This software can monitor and manage websites, send emails, and manage customer resources. Mautic has a security vulnerability, which stems from server-side template injection in the theme engine. This vulnerability may...

9.9CVSS6.2AI score0.00439EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/11 12:57 p.m.9 views

Server-Side Request Forgery (SSRF)

Grav is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to unsafe processing of Twig templates with undefined PHP function registration enabled, which allows an attacker to trigger unauthorized server-side requests...

9.1CVSS5.8AI score0.00247EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/10 6:32 p.m.3 views

EUVD-2026-21557

Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files .tpl under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel...

5.3CVSS5.8AI score0.00245EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/10 6:32 p.m.1 views

CVE-2026-33705

Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files .tpl under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel...

5.3CVSS5.8AI score0.00245EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/10 6:32 p.m.10 views

CVE-2026-33705

CVE-2026-33705 affects Chamilo LMS. Prior to 1.11.38, Twig template files under /main/template/default/ were accessible without authentication via HTTP GET, exposing internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. The issue is fixed in 1.11.38. Reported ...

5.3CVSS5.8AI score0.00245EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.4 views

PT-2026-32020

Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files .tpl under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel...

5.3CVSS5.8AI score0.00245EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.7 views

Chamilo LMS 安全漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Prior to version 1.11.38, Chamilo LMS had security vulnerabilities. These vulnerabilities stemmed from the Twig...

5.3CVSS5.9AI score0.00245EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/04 4:26 p.m.8 views

CVE-2026-28697

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution RCE by injecting a Server-Side Template Injection SSTI payload into Twig template fields e.g., Email Templates. By calling the craft.app.fs.write...

9.4CVSS6.3AI score0.01067EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/04 4:26 p.m.4 views

CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution RCE by injecting a Server-Side Template Injection SSTI payload into Twig template fields e.g., Email Templates. By calling the craft.app.fs.write...

9.4CVSS6.3AI score0.01067EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/03/04 4:26 p.m.35 views

CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution RCE by injecting a Server-Side Template Injection SSTI payload into Twig template fields e.g., Email Templates. By calling the craft.app.fs.write...

9.4CVSS0.01067EPSS
Exploits1References4
CVE
CVE
added 2026/03/04 4:26 p.m.299 views

CVE-2026-28697

Craft CMS (CMS, versions prior to 4.17.0-beta.1 and 5.9.0-beta.1) is affected by an authenticated-admin remote code execution (RCE) via Server-Side Template Injection (SSTI) in Twig template fields (for example, Email Templates). The underlying issue is exploitability through the craft.app.fs.wri...

9.4CVSS6.3AI score0.01067EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/04 4:26 p.m.3 views

CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution RCE by injecting a Server-Side Template Injection SSTI payload into Twig template fields e.g., Email Templates. By calling the craft.app.fs.write...

9.4CVSS6.2AI score0.01067EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.8 views

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft Foundation. Versions prior to Craft CMS 4.17.0-beta.1 and 5.9.0-beta.1 contained security vulnerabilities. These vulnerabilities stemmed from server-side template injection attacks, where payloads were injected into Twig...

9.4CVSS6.2AI score0.01067EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/03 9:0 p.m.9 views

Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates

Summary An authenticated administrator can achieve Remote Code Execution RCE by injecting a Server-Side Template Injection SSTI payload into Twig template fields e.g., Email Templates. By calling the craft.app.fs.write method, an attacker can write a malicious PHP script to a web-accessible...

9.4CVSS6.4AI score0.01067EPSS
Exploits1References6Affected Software1
Snyk
Snyk
added 2026/03/03 9:0 p.m.8 views

Template Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Template Injection via the craft.app.fs.write function in Twig templates. An attacker can execute arbitrary system commands and disclose sensitive information by injecting malicious payloads...

9.4CVSS5.9AI score0.01067EPSS
Exploits1References2
Rows per page
Query Builder