CVE-2026-34984 External Secrets Operator has DNS exfiltration via getHostByName in its v2 template engine

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap but...

Cross-site Scripting (XSS)

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

CVE-2026-35571

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript:...

RAGFlow 安全漏洞

RAGFlow is an open-source RAG engine based on deep document understanding, developed by InfiniFlow. Versions of RAGFlow prior to 0.24.0 contain security vulnerabilities. These vulnerabilities stem from the Agent’s Text Processing and Message components using the non-sandboxed jinja2.Template for...

Handlebars.js 安全漏洞

Handlebars.js is an open-source JavaScript templating engine developed by The Handlebars Templating Language project. Versions of Handlebars.js 4.7.8 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the special variable @partial-block, which could be overwritten...

CVE-2026-28499

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection Array / Dictionary via value. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes...

UBUNTU-CVE-2026-32608

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables e.g., name, key that are populated with runtime...

CVE-2026-28499

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection Array / Dictionary via value. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes...

[SECURITY] [DLA 4502-1] ansible security update

Debian LTS Advisory DLA-4502-1 [email protected] https://www.debian.org/lts/security/ Lee Garrett March 17, 2026 https://wiki.debian.org/LTS Package : ansible Version : 2.10.7+merged+base+2.10.17+dfsg-0+deb11u4 CVE ID : CVE-2024-11079 Debian Bug : 1088106 A flaw was found in ansible, a...

Debian dla-4502 : ansible - security update

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4502 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4502-1 [email protected] https://www.debian.org/lts/security/ L...

Exploit for Code Injection in Jenkins Templating_Engine

CVE-2025-31722 — Jenkins Templating Engine RCE For educat...

📄 Skyvern 0.1.84 Template Injection / Code Execution

Skyvern version 0.1.84 remote code execution proof of concept exploit that leverages a vulnerability in workflow creation functionality where user-supplied input in the prompt field is processed through Jinja2 templating engine without proper sanitization, allowing attackers to execute arbitrary...

UBUNTU-CVE-2026-25731

calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection SSTI vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index...

EUVD-2026-5573

calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection SSTI vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index...

GO-2026-4357 Incus container image templating arbitrary host file read and write in github.com/lxc/incus

Incus container image templating arbitrary host file read and write in github.com/lxc/incus...

PT-2026-6517

Incus container image templating arbitrary host file read and write in github.com/lxc/incus...

GO-2026-4330 External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function in github.com/external-secrets/external-secrets

External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function in github.com/external-secrets/external-secrets...

PT-2026-6506

External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function in github.com/external-secrets/external-secrets...

Huawei EulerOS: Security Advisory for python-jinja2 (EulerOS-SA-2026-1193)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2025-69516

A Server-Side Template Injection SSTI vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the...