Lucene search
K

792 matches found

OSV
OSV
added 2026/04/25 6:32 p.m.4 views

GHSA-H3RR-9WQJ-V3C6 AstrBot has Incomplete Filtering of Special Elements

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...

5.1CVSS5.5AI score0.00299EPSS
Exploits0References6
NVD
NVD
added 2026/04/25 4:16 p.m.6 views

CVE-2026-6984

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...

5.8CVSS0.00299EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/25 3:30 p.m.45 views

CVE-2026-6984 AstrBotDevs AstrBot Dashboard API t2i.py create_template special elements used in a template engine

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...

5.8CVSS0.00299EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/25 3:30 p.m.10 views

EUVD-2026-25660

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...

5.8CVSS4.9AI score0.00299EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/25 3:30 p.m.3 views

CVE-2026-6984

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...

5.8CVSS4.8AI score0.00299EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/04/25 3:30 p.m.19 views

CVE-2026-6984

AstrBotDevs AstrBot up to version 4.22.1 contains a vulnerability in the Dashboard API, specifically in the create_template function (astrbot/dashboard/routes/t2i.py). The issue is improper neutralization of special elements used in the template engine, enabling remote execution. Public exploit i...

5.8CVSS4.9AI score0.00299EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/25 12:0 a.m.12 views

PT-2026-35155

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The...

5.8CVSS5.1AI score0.00299EPSS
Exploits0References6
Snyk
Snyk
added 2026/04/24 4:2 p.m.4 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the POST /prompts/test endpoint, which accepts user-supplied prompt templates and renders them...

8.8CVSS6.2AI score0.00373EPSS
Exploits1References2
OSV
OSV
added 2026/04/24 3:16 a.m.5 views

DEBIAN-CVE-2026-41316

ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other public methods th...

8.1CVSS6.1AI score0.01131EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/24 2:51 a.m.4 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the Option::render and Options::factory code paths in the Option, Options, OptionsApi, and OptionsQuery classes. An attacker can inject template/query syntax into...

8.6CVSS5.4AI score0.00334EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/04/24 2:35 a.m.5 views

CVE-2026-41316

ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other public methods th...

8.1CVSS6.1AI score0.01131EPSS
Exploits0
UbuntuCve
UbuntuCve
added 2026/04/24 12:0 a.m.4 views

CVE-2026-41205

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be...

8.7CVSS5.8AI score0.00361EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/21 7:21 p.m.32 views

CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS0.00805EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.19 views

PT-2026-34057

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $ SERVER'REQUEST URI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

2.1CVSS5.8AI score0.00805EPSS
Exploits0References2
CVE
CVE
added 2026/04/17 9:57 p.m.346 views

CVE-2026-40478

CVE-2026-40478 affects the Thymeleaf Java template engine (versions up to 3.1.3.RELEASE). A security bypass allows unauthenticated SSTI by passing unvalidated input to the expression evaluation mechanism; this is fixed in 3.1.4.RELEASE. Connected sources consistently state the root cause as impro...

9CVSS6AI score0.00776EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/17 9:53 p.m.5 views

CVE-2026-40477 Improper restriction of the scope of accessible objects in Thymeleaf expressions

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...

9CVSS5.9AI score0.00862EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/17 8:56 p.m.3 views

CVE-2026-40302

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the...

6.1CVSS5.8AI score0.00209EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/17 8:56 p.m.3 views

CVE-2026-40302 zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the...

6.1CVSS5.8AI score0.00209EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/17 12:0 a.m.10 views

Giskard 安全漏洞

Giskard is an open-source evaluation and testing framework for artificial intelligence systems. Versions of Giskard prior to 1.0.2b1 contained security vulnerabilities. These vulnerabilities stemmed from the ConformityCheck class using the Jinja2 template engine to render rule parameters, which...

7.8CVSS6.1AI score0.00144EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/17 12:0 a.m.11 views

thymeleaf 安全漏洞

Thymeleaf is an open-source Java template engine developed by Thymeleaf projects. Versions of Thymeleaf 3.1.3.RELEASE and earlier contain security vulnerabilities. These vulnerabilities stem from a security bypass in the expression execution mechanism; certain syntax patterns are not properly...

9CVSS6.1AI score0.00776EPSS
Exploits0References1
Rows per page
Query Builder