13197 matches found
CVE-2026-14987
CVE-2026-14987 affects GiveWP (WordPress) up to version 4.16.3. The issue is a stored XSS via the twitter_message field in the Sequoia Template Settings, caused by insufficient input sanitization and output escaping. An authenticated attacker with give worker-level access (or higher) can inject a...
CVE-2026-49867
DataEase (open source data visualization tool) contains an authenticated stored XSS in template static resources prior to version 2.10.23. The flaw occurs when authenticated users submit TemplateManageRequest.staticResource via POST /de2api/templateManage/save or via DataVisualizationServer.decom...
CVE-2026-45419
DataEase contains an arbitrary file write vulnerability present before version 2.10.23. The flaw resides in template handling: the TemplateManageService#save, StaticResourceServer#saveFilesToServe methods and the /de2api/templateManage/save endpoint accept attacker-controlled staticResource names...
EUVD-2026-44704
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's norm...
CVE-2026-55242
CVE-2026-55242 affects ERPNext prior to 15.111.0 and 16.22.0, where an authenticated user with a standard operational role can trigger a server-side template injection via a configuration field in Batch autonaming (Stock Settings.naming_series_prefix). This leads to unauthorized disclosure of dat...
CVE-2026-55242 ERPNext: Server-Side Template Injection (SSTI) in Batch autonaming via Stock Settings.naming_series_prefix
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's norm...
CVE-2026-46635
A flaw was found in Twig, a template language for PHP. An untrusted template author, with the column filter in their allowed filters, can exploit this vulnerability. The column filter incorrectly passes object arrays to PHP's arraycolumn function, which can read properties that are not restricted...
CVE-2026-48808
A flaw was found in Twig, a template language for PHP. The column filter in Twig fails to properly forward the active sandbox state, specifically the current Source to the SandboxExtension::checkPropertyAllowed function. This oversight results in the loss of SourcePolicyInterface decisions,...
CVE-2026-46633
A flaw was found in Twig, a template language for PHP. This vulnerability occurs because the Compiler::string function does not properly escape single quotes when processing a template name from a % use % tag within a PHP single-quoted string literal. A remote attacker could craft a malicious...
CVE-2026-46639
A flaw was found in Twig, a template language for PHP. An attacker with write access to a sandboxed Twig template can bypass security restrictions due to an issue in object-destructuring assignment. This allows them to read public properties or invoke public methods on objects, leading to...
CVE-2026-46638
A flaw was found in Twig, a template language for PHP. A security vulnerability exists where a template included within a restricted sandbox environment can bypass security checks if it was previously loaded without these restrictions. This allows the template to execute unauthorized functions,...
CVE-2026-47732
A flaw was found in Twig, a template language for PHP. This vulnerability allows a sandboxed template author to bypass security policies by triggering PHP string coercion on specific language constructs. This can lead to information disclosure, as an attacker may be able to invoke toString on...
CVE-2026-58655
The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...
EUVD-2026-44633
The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...
CVE-2026-49978
A flaw was found in DOMPurify, a tool designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. When performing in-place sanitization, DOMPurify could fail to properly process content within shadow DOM elements attached to a .content. This oversight allows an attacke...
WordPress Contact Form by Supsystic - Server-Side Template Injection
Contact Form by Supsystic WordPress plugin = 1.7.36 contains a server-side template injection caused by unsandboxed TwigLoaderString and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters. id: CVE-2026-4257 info: name: WordPress Contact...
OpenCATS - Open Redirect
OpenCATS contains an open redirect vulnerability due to improper validation of user-supplied GET parameters. This, in turn, exposes OpenCATS to possible template injection and obtaining sensitive information, modifying data, and/or executing unauthorized operations. id: CVE-2023-27292 info: name:...
OpenCMS 14 & 15 - Cross Site Scripting
Cross-site scripting XSS vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. id: CVE-2023-6379 info: name: OpenCMS 14 & 15 - Cross Site Scripting author: msegoviag severity: medium description: | Cross-site scripting XSS vulnerability in Alkacon...
XWiki <= 17.3.0 - Server-Side Template Injection (SSTI)
XWiki = 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic. id: CVE-2025-51991 info: name: XWiki = 17.3.0 -...
OpenAM<=15.0.3 FreeMarker - Template Injection
OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input id: CVE-2024-41667 info: name: OpenAM=15.0.3 FreeMarker - Template Injection...