Lucene search
K

44 matches found

OSV
OSV
added 6 days ago4 views

PYSEC-2026-1447 Insecure Jinja2 templates rendered in Haystack Components can lead to RCE

Impact Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. Patches The problem has been fix...

7.7CVSS6.1AI score0.01171EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/04/22 9:59 a.m.6 views

CVE-2026-40602

A flaw was found in the Home Assistant Command-line interface hass-cli. This command-line tool for Home Assistant used an unrestricted environment to handle Jinja2 templates, rather than a sandboxed one. A local user with high privileges could exploit this by providing malicious input within Jinj...

5.6CVSS6.2AI score0.00103EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/21 5:40 p.m.3 views

CVE-2026-40602 hass-cli: Handling of user-supplied Jinja2 templates

The Home Assistant Command-line interface hass-cli is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no...

5.6CVSS5.8AI score0.00103EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/21 5:40 p.m.39 views

CVE-2026-40602 hass-cli: Handling of user-supplied Jinja2 templates

The Home Assistant Command-line interface hass-cli is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no...

5.6CVSS0.00103EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.10 views

Home Assistant 代码注入漏洞

Home Assistant is an open-source family automation management system developed by Home Assistant. This system is primarily used to control household automation devices. Versions of Home Assistant prior to 1.0.0 had a code injection vulnerability. This vulnerability stemmed from the use of unlimit...

5.6CVSS5.9AI score0.00103EPSS
Exploits0References1
OSV
OSV
added 2026/04/16 9:28 p.m.1 views

GHSA-33QF-Q99X-WPM8 Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates

Impact Up to 1.0.0 of home-assitant-cli or hass-cli for short an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and...

5.6CVSS6.3AI score0.00103EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/16 9:28 p.m.11 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview homeassistant-cli is a Command-line tool for Home Assistant. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the handling of user-supplied Jinja2 templates. An attacker can execute arbitrary code by convincing ...

5.6CVSS6.2AI score0.00103EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/03 11:14 p.m.5 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the generatecontainerfile function when rendering user-supplied Jinja2 templates in an unsandboxed...

9.6CVSS6.3AI score0.00392EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/03 9:41 p.m.3 views

CVE-2026-28797

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In versions 0.24.0 and prior, a Server-Side Template Injection SSTI vulnerability exists in RAGFlow's Agent workflow Text Processing StringTransform and Message components. These components use Python's jinja2.Template unsandbox...

8.7CVSS6.2AI score0.00386EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/26 1:39 a.m.4 views

CVE-2026-27961 Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE

Agenta is an open-source LLMOps platform. A Server-Side Template Injection SSTI vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when runni...

8.8CVSS6AI score0.00318EPSS
Exploits0References1
EUVD
EUVD
added 2026/01/29 12:0 a.m.8 views

EUVD-2025-206512

A Server-Side Template Injection SSTI vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the...

8.8CVSS6.1AI score0.021EPSS
Exploits4References3
NVD
NVD
added 2025/12/15 6:15 p.m.5 views

CVE-2025-66436

An SSTI Server-Side Template Injection vulnerability exists in the gettermsandconditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates terms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

4.3CVSS0.00289EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/12/15 12:0 a.m.3 views

CVE-2025-66434

An SSTI Server-Side Template Injection vulnerability exists in the getdunninglettertext method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates bodytext using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

7.1AI score0.00507EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/12/15 12:0 a.m.4 views

CVE-2025-66436

An SSTI Server-Side Template Injection vulnerability exists in the gettermsandconditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates terms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

7.1AI score0.00289EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/12/15 12:0 a.m.27 views

CVE-2025-66435

An SSTI Server-Side Template Injection vulnerability exists in the getcontracttemplate method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates contractterms using frappe.rendertemplate with a user-supplied context doc. Although Frappe uses a custom...

0.00289EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2021-0213

Malware in sbrugna...

6.1CVSS6.2AI score0.00699EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-19586

Malicious code in bioql PyPI...

8.8CVSS6.4AI score0.00465EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-2367

Malicious code in bioql PyPI...

7.5CVSS7.4AI score0.01171EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2024-0284

Malicious code in bioql PyPI...

9.8CVSS7.8AI score0.01552EPSS
Exploits1References12
Tenable Nessus
Tenable Nessus
added 2025/09/17 12:0 a.m.7 views

Amazon Linux 2 : python-templated-dictionary, --advisory ALAS2MOCK2-2025-001 (ALASMOCK2-2025-001)

It is, therefore, affected by a vulnerability as referenced in the ALAS2MOCK2-2025-001 advisory. The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems...

9.8CVSS8.1AI score0.01552EPSS
Exploits1References4
Rows per page
Query Builder