CVE-2026-54068

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router router.go, "不需要鉴权" -- no auth needed. When called with type=8 and a valid block id parameter, this endpoint...

CVE-2026-33235

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions prior to 0.6.52, the Fill Text Template block is vulnerable to a Denial of Service DoS attack. While the backend implements a SandboxedEnvironment to prevent...

EUVD-2026-36906

OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination...

CVE-2026-50698

CVE-2026-50698 describes a Stored XSS in Frappe Framework 17.0.0-dev, arising from improper neutralization of user-controlled input in the Audit Trail template rendering. The description indicates the vulnerability is a content injection flaw that could affect HTML output. No exploitation details...

Node.js Embedded JavaScript 3.1.6 - Template Injection

Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settingsview optionsoutputFunctionName, which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation. id:...

Shield Security WP Plugin <= 18.5.9 - Local File Inclusion

The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the renderactiontemplate parameter. This makes it possible for unauthenticated attacker to include and execute PHP fil...

Nodejs Squirrelly - Remote Code Execution

Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuratio...

XWiki <= 17.3.0 - Server-Side Template Injection (SSTI)

XWiki = 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic. id: CVE-2025-51991 info: name: XWiki = 17.3.0 -...

OpenCMS 14 & 15 - Cross Site Scripting

Cross-site scripting XSS vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. id: CVE-2023-6379 info: name: OpenCMS 14 & 15 - Cross Site Scripting author: msegoviag severity: medium description: | Cross-site scripting XSS vulnerability in Alkacon...

PHPCMS 2008 - Remote Code Execution via Template Injection

PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable. id: CVE-2018-19127 info: name: PHPCMS 2008 - Remote Code Execution via Template Injection author: tomaquet18...

Premium Addons for Elementor - Unauthenticated Information Disclosure

Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the gettemplatecontent AJAX handler, allowing unauthenticated attackers to retrieve private...

OpenAM<=15.0.3 FreeMarker - Template Injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input id: CVE-2024-41667 info: name: OpenAM=15.0.3 FreeMarker - Template Injection...

OpenCATS - Open Redirect

OpenCATS contains an open redirect vulnerability due to improper validation of user-supplied GET parameters. This, in turn, exposes OpenCATS to possible template injection and obtaining sensitive information, modifying data, and/or executing unauthorized operations. id: CVE-2023-27292 info: name:...

WordPress Contact Form by Supsystic - Server-Side Template Injection

Contact Form by Supsystic WordPress plugin = 1.7.36 contains a server-side template injection caused by unsandboxed TwigLoaderString and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters. id: CVE-2026-4257 info: name: WordPress Contact...

Koha 3.20.1 - Directory Traversal

Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f dot dot encoded slash in the templatepath parameter to 1 svc/virtualshelves/search or 2 svc/members/search. id: CVE-2015-4632 info: name:...

JeecgBoot JimuReport - Template injection

A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit has been disclosed t...

CVE-2026-47376

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS HTML-entity-encodes a fixed set of characters but does not escape single quotes or...

CVE-2026-47376 NocoDB: Reflected Cross-Site Scripting via Password Reset Token

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS HTML-entity-encodes a fixed set of characters but does not escape single quotes or...

CVE-2026-47376

CVE-2026-47376 (NocoDB) describes a reflected XSS on the password-reset flow. Before 2026.04.1, the token from the password-reset URL was directly embedded into a JavaScript string in a server-rendered EJS template, which does not escape single quotes or backslashes. This allowed an attacker-cont...

CVE-2026-28496

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...