Common Weakness Enumeration

CWE-1336

Allowed

Improper Neutralization of Special Elements Used in a Template Engine

Abstraction: Base · Status: Incomplete

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

314 vulnerabilities reference this CWE, most recent first.

GHSA-374C-2PVV-FXF5

Vulnerability from github – Published: 2025-12-10 21:31 – Updated: 2025-12-17 21:30
VLAI
Details

A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T20:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.",
  "id": "GHSA-374c-2pvv-fxf5",
  "modified": "2025-12-17T21:30:41Z",
  "published": "2025-12-10T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65602"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/chancms/ChanCMS"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689?source=copy_link"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3JGV-PFQJ-V626

Vulnerability from github – Published: 2024-04-26 06:30 – Updated: 2024-07-03 18:36
VLAI
Details

Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Batch-Issue Exam Tickets function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-26T04:15:09Z",
    "severity": "HIGH"
  },
  "details": "Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Batch-Issue Exam Tickets function.",
  "id": "GHSA-3jgv-pfqj-v626",
  "modified": "2024-07-03T18:36:57Z",
  "published": "2024-04-26T06:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32406"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/178251/Relate-Learning-And-Teaching-System-SSTI-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-46VF-C8GJ-2PGQ

Vulnerability from github – Published: 2024-04-22 21:31 – Updated: 2025-10-22 00:33
VLAI
Details

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-20",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-22T20:15:07Z",
    "severity": "HIGH"
  },
  "details": "VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.",
  "id": "GHSA-46vf-c8gj-2pgq",
  "modified": "2025-10-22T00:33:00Z",
  "published": "2024-04-22T21:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4040"
    },
    {
      "type": "WEB",
      "url": "https://github.com/airbus-cert/CVE-2024-4040"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4040"
    },
    {
      "type": "WEB",
      "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update"
    },
    {
      "type": "WEB",
      "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4J89-2C4F-44C6

Vulnerability from github – Published: 2026-06-22 23:58 – Updated: 2026-06-22 23:58
VLAI
Summary
Gogs has DoS in rendering issue index pattern
Details

Summary

Special template of issue index pattern may cause panic.

Details

in internal/markup/markup.go

link = fmt.Sprintf(`<a href="%s">%s</a>`, com.Expand(metas["format"], metas), m)

Issue index pattern is rendered to link with com.Expand.

However, com.Expand is not safe.

i = strings.Index(template, "}")
if s, ok := match[template[:i]]; ok {

when { is found but } not found, i comes to 1, template[:-1] will be called, and then panicked

image

finally, all pages than contains issue index are unavailable.

PoC

  1. set issue index pattern as follow

image

  1. add a commit which point to an issue in its msg

image

using #1 above

Impact

DoS that cause part of pages of the specify repo unavailable.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.14.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T23:58:17Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nSpecial template of issue index pattern may cause panic.\n\n### Details\n\nin internal/markup/markup.go\n\n```go\nlink = fmt.Sprintf(`\u003ca href=\"%s\"\u003e%s\u003c/a\u003e`, com.Expand(metas[\"format\"], metas), m)\n```\n\nIssue index pattern is rendered to link with `com.Expand`.\n\nHowever, `com.Expand` is not safe.\n\n```go\ni = strings.Index(template, \"}\")\nif s, ok := match[template[:i]]; ok {\n```\n\nwhen `{` is found but `}` not found, i comes to 1, template[:-1] will be called, and then panicked\n\n![image](https://user-images.githubusercontent.com/38121125/285883766-64873c44-d325-44ce-96a8-badbaadab178.png)\n\nfinally, all pages than contains issue index are unavailable.\n\n### PoC\n\n1. set issue index pattern as follow\n\n![image](https://user-images.githubusercontent.com/38121125/285878157-c5fe848e-0fbd-4fdb-92d4-5eb01df2b8ca.png)\n\n2. add a commit which point to an issue in its msg\n\n![image](https://user-images.githubusercontent.com/38121125/285879545-bc360503-49b9-453f-aa24-9a5c5a45cf10.png)\n\nusing `#1` above\n\n### Impact\n\nDoS that cause part of pages of the specify repo unavailable.",
  "id": "GHSA-4j89-2c4f-44c6",
  "modified": "2026-06-22T23:58:17Z",
  "published": "2026-06-22T23:58:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-4j89-2c4f-44c6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8312"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/0529d95fc39f2b6d2997b19a2a12e24522684722"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gogs has DoS in rendering issue index pattern"
}

GHSA-4PJC-PWGQ-Q9JP

Vulnerability from github – Published: 2024-12-11 18:44 – Updated: 2024-12-12 19:20
VLAI
Summary
SiYuan has an SSTI via /api/template/renderSprig
Details

Summary

Siyuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables

Impact

Information leakage

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20241210012039-5129ad926a21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-11T18:44:47Z",
    "nvd_published_at": "2024-12-12T02:15:32Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSiyuan\u0027s /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables\n\n### Impact\n\nInformation leakage",
  "id": "GHSA-4pjc-pwgq-q9jp",
  "modified": "2024-12-12T19:20:33Z",
  "published": "2024-12-11T18:44:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4pjc-pwgq-q9jp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55660"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3324"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan has an SSTI via /api/template/renderSprig"
}

GHSA-4PQH-3F6P-63C5

Vulnerability from github – Published: 2026-06-02 12:31 – Updated: 2026-06-02 12:31
VLAI
Details

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.

This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-02T10:16:22Z",
    "severity": "CRITICAL"
  },
  "details": "Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell.\n\nThis issue affects Wirtualna Uczelnia versions up to\u00a0wu#2016.437.295#0#20260327_105545",
  "id": "GHSA-4pqh-3f6p-63c5",
  "modified": "2026-06-02T12:31:25Z",
  "published": "2026-06-02T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34906"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/06/CVE-2026-34906"
    },
    {
      "type": "WEB",
      "url": "https://simple.com.pl/branze/edukacyjna"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4R7V-WHPG-8RX3

Vulnerability from github – Published: 2024-10-15 18:05 – Updated: 2025-08-06 17:55
VLAI
Summary
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
Details

Summary

A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.

Details

changedetection.io version: 0.45.20

docker images
REPOSITORY                            TAG       IMAGE ID       CREATED        SIZE
dgtlmoon/changedetection.io           latest    53529c2e69f1   44 hours ago   423MB

The vulnerability is caused by the usage of vulnerable functions of Jinja2 template engine.

from jinja2 import Environment, BaseLoader
...
    # Get the notification body from datastore
    jinja2_env = Environment(loader=BaseLoader)
    n_body = jinja2_env.from_string(n_object.get('notification_body', '')).render(**notification_parameters)
    n_title = jinja2_env.from_string(n_object.get('notification_title', '')).render(**notification_parameters)

PoC

  1. Create/Edit a URL watch item
  2. Under Notifications tab insert this payload:
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

Screenshot from 2024-04-19 15-46-04

  1. See Telegram (or other supported messaging app) notification

Screenshot from 2024-04-19 16-02-12

Impact

In the PoC I've used id as payload and Telegram to read the result.
Attackers can run any system command without any restriction and they don't need to read the result in the notification app (e.g. they could use a reverse shell). The impact is critical as the attacker can completely takeover the server host. This can be reduced if changedetection access is protected by login page with a password, but this isn't required by the application (not by default and not enforced).

References

  • https://www.hacktivesecurity.com/blog/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/
  • https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti
  • https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/
  • https://docs.cobalt.io/bestpractices/prevent-ssti/

Credits

Edoardo Ottavianelli

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.45.20"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "changedetection.io"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.45.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-15T18:05:15Z",
    "nvd_published_at": "2024-04-26T00:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.\n\n### Details\n\nchangedetection.io version: 0.45.20\n```\ndocker images\nREPOSITORY                            TAG       IMAGE ID       CREATED        SIZE\ndgtlmoon/changedetection.io           latest    53529c2e69f1   44 hours ago   423MB\n```\n\nThe vulnerability is caused by the usage of vulnerable functions of Jinja2 template engine.\n```python\nfrom jinja2 import Environment, BaseLoader\n...\n    # Get the notification body from datastore\n    jinja2_env = Environment(loader=BaseLoader)\n    n_body = jinja2_env.from_string(n_object.get(\u0027notification_body\u0027, \u0027\u0027)).render(**notification_parameters)\n    n_title = jinja2_env.from_string(n_object.get(\u0027notification_title\u0027, \u0027\u0027)).render(**notification_parameters)\n```\n\n\n### PoC\n1. Create/Edit a URL watch item\n2. Under *Notifications* tab insert this payload: \n```python\n{{ self.__init__.__globals__.__builtins__.__import__(\u0027os\u0027).popen(\u0027id\u0027).read() }}\n```\n![Screenshot from 2024-04-19 15-46-04](https://github.com/dgtlmoon/changedetection.io/assets/35783570/b6a5779f-fd1e-4708-9b2d-21cb97f0bb4f)\n\n3. See Telegram (or other supported messaging app) notification\n\n![Screenshot from 2024-04-19 16-02-12](https://github.com/dgtlmoon/changedetection.io/assets/35783570/20877919-d6fe-49f1-bbd2-586e900207f1)\n\n\n### Impact\nIn the PoC I\u0027ve used `id` as payload and Telegram to read the result.  \nAttackers can run any system command without any restriction and they don\u0027t need to read the result in the notification app (e.g. they could use a reverse shell).\nThe impact is critical as the attacker can completely takeover the server host.\nThis can be reduced if changedetection access is protected by login page with a password, but this isn\u0027t required by the application (not by default and not enforced).\n\n### References\n- https://www.hacktivesecurity.com/blog/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/\n- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti\n- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/\n- https://docs.cobalt.io/bestpractices/prevent-ssti/\n\n### Credits\n\nEdoardo Ottavianelli",
  "id": "GHSA-4r7v-whpg-8rx3",
  "modified": "2025-08-06T17:55:27Z",
  "published": "2024-10-15T18:05:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32651"
    },
    {
      "type": "WEB",
      "url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dgtlmoon/changedetection.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
    },
    {
      "type": "WEB",
      "url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution"
}

GHSA-4RMR-C2JX-VX27

Vulnerability from github – Published: 2022-01-27 14:51 – Updated: 2022-08-11 17:05
VLAI
Summary
Mustache remote code injection vulnerability
Details

In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mustache/mustache"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-24T23:01:39Z",
    "nvd_published_at": "2022-01-21T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.\n\n",
  "id": "GHSA-4rmr-c2jx-vx27",
  "modified": "2022-08-11T17:05:16Z",
  "published": "2022-01-27T14:51:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bobthecow/mustache.php/commit/579ffa5c96e1d292c060b3dd62811ff01ad8c24e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mustache/mustache/CVE-2022-0323.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bobthecow/mustache.php"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bobthecow/mustache.php/releases/tag/v2.14.1"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a5f5a988-aa52-4443-839d-299a63f44fb7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mustache remote code injection vulnerability"
}

GHSA-4W64-J7CG-53XC

Vulnerability from github – Published: 2023-04-24 21:30 – Updated: 2023-04-24 21:30
VLAI
Details

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-24T21:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.",
  "id": "GHSA-4w64-j7cg-53xc",
  "modified": "2023-04-24T21:30:30Z",
  "published": "2023-04-24T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2259"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alfio-event/alf.io/commit/94e2923a317452e337393789c9f3192dfc1ddac2"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e753bce0-ce82-463b-b344-2f67b39b60ff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-527Q-4WQV-G9WJ

Vulnerability from github – Published: 2025-10-16 20:28 – Updated: 2025-10-16 21:54
VLAI
Summary
bagisto has Server Side Template Injection (SSTI) in Product Description
Details

Summary

Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server.

Details

In Bagisto, product descriptions are rendered through Laravel’s Blade templating engine in various front-end and admin views. The product description field is not sanitized or escaped before being passed to the view, which means user-supplied data can break out of the expected string context and execute arbitrary template code.

PoC

Create a product and enter the payload to the description. image Preview the page, observed that the template expressions were evaluated by the backend and displayed on the screen. image

Impact

RCE potential: Attackers can execute arbitrary PHP code or system commands. Data breach: Read sensitive environment variables (.env), API keys, or database credentials. Defacement / persistence: Inject malicious scripts or backdoors in dynamic templates. Privilege escalation: If attackers have limited roles (e.g., product manager), they can compromise the entire application or host.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T20:28:35Z",
    "nvd_published_at": "2025-10-16T19:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nBagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend \u2014 potentially leading to Remote Code Execution (RCE) on the server.\n\n### Details\nIn Bagisto, product descriptions are rendered through Laravel\u2019s Blade templating engine in various front-end and admin views. The product description field is not sanitized or escaped before being passed to the view, which means user-supplied data can break out of the expected string context and execute arbitrary template code.\n\n### PoC\nCreate a product and enter the payload to the description.\n\u003cimg width=\"679\" height=\"669\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1e5dac3f-4043-4b31-98ed-f4346feb5477\" /\u003e\nPreview the page, observed that the template expressions were evaluated by the backend and displayed on the screen.\n\u003cimg width=\"1431\" height=\"922\" alt=\"image\" src=\"https://github.com/user-attachments/assets/16f29c6e-05f4-40c4-9926-0c59e0a979c2\" /\u003e\n\n\n### Impact\nRCE potential: Attackers can execute arbitrary PHP code or system commands.\nData breach: Read sensitive environment variables (.env), API keys, or database credentials.\nDefacement / persistence: Inject malicious scripts or backdoors in dynamic templates.\nPrivilege escalation: If attackers have limited roles (e.g., product manager), they can compromise the entire application or host.",
  "id": "GHSA-527q-4wqv-g9wj",
  "modified": "2025-10-16T21:54:30Z",
  "published": "2025-10-16T20:28:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62416"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bagisto has Server Side Template Injection (SSTI) in Product Description"
}

Mitigation
Architecture and Design

Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.

Mitigation
Implementation

Use the template engine's sandbox or restricted mode, if available.

No CAPEC attack patterns related to this CWE.