Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1336 — Vulnerability Class 118

118 vulnerabilities classified as CWE-1336. AI Chinese analysis included.

CWE-1336 represents a critical injection vulnerability where applications fail to properly sanitize user-supplied data before passing it to a template engine. This weakness allows attackers to inject malicious template expressions or code directives that the engine interprets as executable logic rather than static text. Exploitation typically occurs when developers directly embed unvalidated user input into templates, enabling remote code execution, server-side request forgery, or sensitive data leakage. To mitigate this risk, developers must strictly enforce input validation and utilize built-in auto-escaping features provided by modern template frameworks. Additionally, implementing the principle of least privilege ensures that even if an injection succeeds, the potential impact is contained. Regular security audits and static code analysis tools can further help identify unsafe template usage patterns before deployment.

MITRE CWE Description
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. Many web applications use template engines that allow developers to insert externally-influenced values into free text or messages in order to generate a full web page, document, message, etc. Such engines include Twig, Jinja2, Pug, Java Server Pages, FreeMarker, Velocity, ColdFusion, Smarty, and many others - including PHP itself. Some CMS (Content Management Systems) also use templates. Template engines often have their own custom command or expression language. If an attacker can influence input into a template before it is processed, then the attacker can invoke arbitrary expressions, i.e. perform injection attacks. For example, in some template languages, an attacker could inject the expression "{{7*7}}" and determine if the output returns "49" instead. The syntax varies depending on the language. In some cases, XSS-style attacks can work, which can obscure the root cause if the developer does not closely investigate the root cause of the error. Template engines can be used on the server or client, so both "sides" could be affected by injection. The mechanisms of attack or the affected technologies might be different, but the mistake is fundamentally the same.
Common Consequences (1)
IntegrityExecute Unauthorized Code or Commands
Mitigations (2)
Architecture and DesignChoose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
ImplementationUse the template engine's sandbox or restricted mode, if available.
CVE IDTitleCVSSSeverityPublished
CVE-2025-53909 mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template — mailcow-dockerized 9.1 Critical2025-07-17
CVE-2025-49828 Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Remote Code Execution — conjur 8.8AIHighAI2025-07-15
CVE-2025-53833 LaRecipe is vulnerable to Server-Side Template Injection attacks — larecipe 10.0 Critical2025-07-14
CVE-2025-6761 Kingdee Cloud-Starry-Sky Enterprise Edition Freemarker Engine DynamicForm 4 Action.class plugin.buildMobilePopHtml special elements used in a template engine — Cloud-Starry-Sky Enterprise Edition 7.3 High2025-06-27
CVE-2025-6518 PySpur-Dev pyspur Jinja2 Template single_llm_call.py SingleLLMCallNode special elements used in a template engine — pyspur 6.3 Medium2025-06-23
CVE-2025-49142 Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating — nautobot 8.1AIHighAI2025-06-10
CVE-2025-49136 listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user — listmonk 9.1 Critical2025-06-09
CVE-2025-49619 Ikonomos Skyvern 安全漏洞 — Skyvern 8.5 High2025-06-07
CVE-2025-5325 zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 testService special elements used in a template engine — ADP Application Developer Platform 应用开发者平台 6.3 Medium2025-05-29
CVE-2025-47916 Invision Community 安全漏洞 — Invision Power Board 10.0 Critical2025-05-16
CVE-2025-46731 Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI — cms 7.2AIHighAI2025-05-05
CVE-2025-23376 Dell PowerProtect Data Manager Reporting 安全漏洞 — PowerProtect Data Manager Reporting 2.3 Low2025-04-28
CVE-2025-46661 IPW Systems Metazo 安全漏洞 — Metazo 10.0 Critical2025-04-28
CVE-2025-3841 wix-incubator jam Jinja2 Template jam.py special elements used in a template engine — jam 3.3 Low2025-04-21
CVE-2025-32461 Tiki 安全漏洞 — Tiki 9.9 Critical2025-04-09
CVE-2024-8238 Unrestricted Code Execution in aimhubio/aim — aimhubio/aim 8.8 -2025-03-20
CVE-2025-1040 Server-Side Template Injection (SSTI) in significant-gravitas/autogpt — significant-gravitas/autogpt 9.8 -2025-03-20
CVE-2025-26865 Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE — Apache OFBiz 9.8 -2025-03-10
CVE-2025-2040 zhijiantianya ruoyi-vue-pro deploy special elements used in a template engine — ruoyi-vue-pro 6.3 Medium2025-03-06
CVE-2025-27516 Jinja sandbox breakout through attr filter selecting format method — jinja 9.8 -2025-03-05
CVE-2024-9150 Code Injection in Wyn Enterprise — Wyn Enterprise 7.8 -2025-02-21
CVE-2025-26789 Logpoint AgentX 安全漏洞 — AgentX 4.9 -2025-02-14
CVE-2025-23211 Tandoor Recipes - SSTI - Remote Code Execution — recipes 10.0 Critical2025-01-28
CVE-2024-12583 Dynamics 365 Integration <= 1.3.23 - Authenticated (Contributor+) Remote Code Execution and Arbitrary File Read via Twig Server-Side Template Injection — Dynamics 365 Integration 9.9 Critical2025-01-04
CVE-2024-56326 Jinja has a sandbox breakout through indirect reference to format method — jinja 8.8 -2024-12-23
CVE-2024-55660 SiYuan has an SSTI via /api/template/renderSprig — siyuan 6.5 -2024-12-11
CVE-2024-55652 PwnDoc Server-Side Template Injection vulnerability - Sandbox Escape to RCE using custom filters — pwndoc 6.5 Medium2024-12-11
CVE-2024-30372 Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability — Allegra 8.8 -2024-11-22
CVE-2024-45053 Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine — fides 9.1 Critical2024-09-04
CVE-2024-6386 WPML Multilingual CMS <= 4.6.12 - Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection — WPML 9.9 Critical2024-08-21

Vulnerabilities classified as CWE-1336 represent 118 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.