Lucene search
K
PalletsprojectsJinja

8 matches found

CVE
CVE
added 2025/03/05 8:40 p.m.1908 views

CVE-2025-27516

CVE-2025-27516 : Jinja2 before 3.1.6 exposes a sandbox bypass via the |attr filter, allowing arbitrary Python code execution if an attacker controls template content. Affected: jinja2 versions prior to 3.1.6. Impact: execution of code in untrusted templates. Remediation: upgrade to 3.1.6 or newer...

8.8CVSS7.6AI score0.00465EPSS
CVE
CVE
added 2024/12/23 3:43 p.m.941 views

CVE-2024-56326

CVE-2024-56326 affects Jinja2 prior to 3.1.5, where an oversight in the sandboxed environment allows an attacker who can control template content to execute arbitrary Python code. The vulnerability arises from how calls to str.format can be indirectly invoked via filters, bypassing sandbox protec...

7.8CVSS7.1AI score0.005EPSS
CVE
CVE
added 2024/01/11 2:25 a.m.584 views

CVE-2024-22195

CVE-2024-22195 affects Jinja2: the xmlattr filter can accept keys/values that bypass escaping, enabling possible XSS via HTML attribute injection. Public notes show affected packages including python-jinja2 and jinja2, with fixes in 3.1.4 (e.g., Astra Linux entry indicates 3.1.4 as the patch). De...

6.1CVSS6.6AI score0.00892EPSS
CVE
CVE
added 2019/04/06 11:17 p.m.572 views

CVE-2019-10906

CVE-2019-10906 affects Pallets Jinja2 before 2.10.1. The vulnerability arises from str.format_map allowing a sandbox escape, enabling potentially untrusted template code to escape sandbox restrictions. The issue is blocked to Jinja2’s sandboxed evaluation and affects environments using Pallets Ji...

8.6CVSS8.4AI score0.03603EPSS
CVE
CVE
added 2021/02/01 7:30 p.m.464 views

CVE-2020-28493

CVE-2020-28493 affects jinja2 up to version 2.11.3 (inclusive of 0.0.0 to before 2.11.3). The root cause is a Denial of Service likely caused by the regex in the _punctuation_re used by the urlize filter, leading to excessive CPU on crafted input. Public documents identify this ReDoS vulnerabilit...

5.3CVSS6.2AI score0.03546EPSS
CVE
CVE
added 2024/12/23 3:37 p.m.417 views

CVE-2024-56201

CVE-2024-56201 affects the Jinja2 templating engine (Python). In Jinja2 3.x prior to 3.1.5, a bug in the compiler allows arbitrary Python code execution when an attacker can control both the template content and its filename. The vulnerability targets applications that render untrusted templates ...

8.8CVSS8.6AI score0.00301EPSS
CVE
CVE
added 2024/05/06 2:41 p.m.416 views

CVE-2024-34064

The CVE-2024-34064 issue affects Jinja2’s xmlattr filter, where keys containing non-attribute characters (e.g., spaces, /, >, =) can be rendered into HTML attributes, potentially enabling attribute-injection-based XSS when applications render user-supplied keys. The vulnerability arises if an ...

5.4CVSS6.2AI score0.00979EPSS
CVE
CVE
added 2019/04/08 1:0 p.m.413 views

CVE-2016-10745

CVE-2016-10745 affects Pallets Jinja2: in Pallets Jinja before 2.8.1, str.format allows a sandbox escape. Affected component is the Python Jinja2 library; root cause is sandbox escape via str.format parsing. Impact documented as sandbox escape (high risk per CVSS in references), with several advi...

8.6CVSS8.4AI score0.03492EPSS