CVE-2026-44209

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment unsandboxed to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt are vulnerable to Server-Side Template Injection...

CVE-2026-9558

A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the...

EUVD-2019-20165

PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. Attackers can craft malicious cookie values containing template injection payloads like shellex...

playSMS <1.4.3 - Remote Code Execution

PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template. id: CVE-2020-8644 info: name: playSMS 1.4.3 - Remote Code Execution author: dbrwsky severity: critical description: PlaySMS before version 1.4.3 is susceptible to remote code...

CVE-2026-34906

Server-Side Template Injection SSTI in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution RCE. In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed ...

CVE-2026-34906

Server-Side Template Injection SSTI in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution RCE. In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed ...

Hitachi Pentaho Business Analytics Server - Remote Code Execution

Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible to remote code execution via server-side template injection. Certain web services can set property values which contain Spring templates that are interpreted downstream, thereby...

PT-2026-44548

A High severity Server-Side Template Injection SSTI vulnerability exists in the trestle author jinja command. The command recursively evaluates rendered templates, allowing an attacker to achieve arbitrary command execution with privileges of the running process by injecting malicious payloads in...

EUVD-2026-31997

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment unsandboxed to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt are vulnerable to Server-Side Template Injection...

CVE-2026-31380 Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass

Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

CVE-2026-29207 Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

📄 WordPress Supsystic Contact Form 1.7.36 Server-Side Template Injection

Proof of concept code execution exploit for a server-side template injection vulnerability in WordPress Supsystic Contact Form plugin versions 1.7.36 and below Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI Date: 3/30/2026 Exploit Author: bootstrapbool Vendor Homepage:...

CVE-2026-44377 CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates and Documents. The application unsafely evaluates user-supplied input directly through the Smarty templat...

CVE-2026-44129

SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code executio...

📄 Contact Form by Supsystic 1.7.36 Server-Side Template Injection

Contact Form by Supsystic versions 1.7.36 and below server-side template injection exploit that achieves remote code execution. import requests import argparse import re import urllib.parse def checksstiurl, fieldname: printf" Testing SSTI on url with field fieldname..." Simple arithmetic test...

CVE-2026-44129

CVE-2026-44129 affects SEPPmail Secure Email Gateway prior to version 15.0.4, where a server-side template injection exists in the new GINA UI. An endpoint accepts attacker-controlled templates, enabling remote attackers to execute arbitrary template expressions and potentially achieve remote cod...

CVE-2024-46507

A SSTI server side template injection vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server...

CVE-2026-38431

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection SSTI. An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered...

WebPentestKit2

\ 🛡️ WebPentestKit2 \Advanced Web Application Exploitatio...

LiteLLM: Server-Side Template Injection in /prompts/test endpoint

Impact The POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user cou...