CVE-2026-25077

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can...

CVE-2026-25077

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can...

Apache CloudStack 代码注入漏洞

Apache CloudStack is an IaaS cloud computing platform developed by the Apache Foundation in the United States. This platform is primarily used for deploying and managing large-scale virtual machine networks. Apache CloudStack has a code injection vulnerability, which stems from a lack of filename...

PraisonAI 安全漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained security vulnerabilities. These vulnerabilities stemmed from treating remotely obtained template files as trusted executable code without performing integrity...

CVE-2025-40892

A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a...

EUVD-2025-18165

Malicious code in bioql PyPI...

EUVD-2024-31779

Malicious code in bioql PyPI...

EUVD-2023-1758

Malicious code in bioql PyPI...

Remote Code Execution (RCE)

craftcms/cms is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of template inputs in Twig, which allows an attacker to inject malicious templates and execute arbitrary code on the server...

XWiki Platform 安全漏洞

XWiki Platform is XWiki's open source suite of Wiki platforms for creating web collaboration applications. A security vulnerability exists in XWiki Platform that originates from a user being able to create documents containing malicious templates that could lead to the sending of spam...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : Jinja2 vulnerabilities (USN-7343-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7343-1 advisory. Rafal Krupinski discovered that Jinja2 did not properly restrict the execution of cod...

Local File Inclusion (LFI)

io.pebbletemplates:pebble is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper access control due to the include tag allowing high-privileged attackers to access sensitive local files by crafting malicious notification templates...

CVE-2024-50386

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker...

ALPINE-CVE-2024-56326

Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the...

PT-2024-16180 · Ininet Solutions · Ininet Solutions Spidercontrol Scada Pc Hmi Editor

Name of the Vulnerable Software and Affected Versions: iniNet Solutions SpiderControl SCADA PC HMI Editor affected versions not specified Description: The issue is related to a path traversal vulnerability. When the software loads a malicious ems project template file created by an attacker, it c...

GO-2024-2871 Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder

Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder...

Stacklok Minder vulnerable to denial of service from maliciously crafted templates

Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the...

Design/Logic Flaw

Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- 1 using unsafe functions that are not...

foreman: cross-site scripting (XSS) flaw in template preview screen

A cross-site scripting XSS flaw was found in Foreman's template preview screen. A remote attacker could use this flaw to perform cross-site scripting attacks by tricking a user into viewing a malicious template. Note that templates are commonly shared among users...

foreman: cross-site scripting (XSS) flaw in template preview screen

A cross-site scripting XSS flaw was found in Foreman's template preview screen. A remote attacker could use this flaw to perform cross-site scripting attacks by tricking a user into viewing a malicious template. Note that templates are commonly shared among users...