CVE-2026-44209 Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment unsandboxed to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt are vulnerable to Server-Side Template Injection...

EUVD-2021-26286

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2021-39930

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a...

CVE-2021-39930

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates...

CVE-2024-7476

A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/id/versions endpoint. This issue is resolved in version 1.4....

PT-2025-12185 · Lunary · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions 1.2.7 through 1.4.2 Description: A broken access control issue exists, allowing an authenticated attacker to modify any user's templates. This is achieved by sending a crafted HTTP POST request to the...

Twig 安全漏洞

Twig is a PHP template engine open-sourced by Twig. A security vulnerability exists in Twig that stems from the fact that sandbox security checks will not be run under certain circumstances, allowing user-contributed templates to bypass sandbox restrictions...

BIT-GITLAB-2021-39930

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates...

SUSE CVE-2017-8438

Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the runas functionality. This bug prevents transitioning into the specified user specified in a runas request. If a role has been created using a template that contains the user properties, the behavior of runas...

Possible RCE when rendering untrusted user templates

Fix CVE-2022-0323, possible RCE when rendering untrusted user templates, reported by @altm4n via huntr.dev - Improve compatibility with PHP 8.1...

Possible RCE when rendering untrusted user templates

Fix CVE-2022-0323, possible RCE when rendering untrusted user templates, reported by @altm4n via huntr.dev Improve compatibility with PHP 8.1...

CVE-2021-39930

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates...

PT-2021-22769 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 12.4 through 14.3.6 GitLab EE versions 14.4.0 through 14.4.4 GitLab EE versions 14.5.0 through 14.5.2 Description: The issue concerns missing authorization, allowing an attacker to access a user's custom project and group...

Mavenlink: CSRF Add user templates

Reproduction: ========== - Log in to account - Visit CSRF page below note default 30 seconds timeout, can be adjusted according to the connection speed: var a = window.open"https://app.mavenlink.com/projecttemplatesnew", "csrf", "height=100,width=100"; var intervalID = setTimeoutfunction a.close;...