CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

Parent: CWE-94 - Improper Control of Generation of Code ('Code Injection')

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

133 vulnerabilities with CWE-1336
CVE-2026-3725 MEDIUM
1024-lab SmartAdmin <=3.29 - Code Injection
CVSS 6.3
CVE-2026-3714 MEDIUM
OpenCart 4.0.2.3 - Code Injection
CVSS 4.7
CVE-2026-28784 HIGH
Craft CMS <5.8.22/4.16.18 - RCE
CVSS 7.2
CVE-2026-28783 CRITICAL
Craft CMS <5.9.0-beta.1/4.17.0-beta.1 - RCE
CVSS 9.1
CVE-2026-28697 CRITICAL
Craft CMS <4.17.0-beta.1/5.9.0-beta.1 - RCE
CVSS 9.1
CVE-2026-28695 HIGH
Craft CMS 5.8.21 - Authenticated RCE
CVSS 7.2
CVE-2026-26938 HIGH
Kibana - Code Injection
CVSS 8.6
CVE-2026-27961 HIGH
Agenta <0.86.8 - SSTI
CVSS 8.8
CVE-2026-27641 CRITICAL
Flask-Reuploaded <1.5.0 - Path Traversal
CVSS 9.8
CVE-2026-27629 MEDIUM
InvenTree <1.2.3 - Code Injection
CVSS 5.9
CVE-2026-2969 MEDIUM
datapizza-ai 0.0.2 - Code Injection
CVSS 4.7
CVE-2026-27464 HIGH
Metabase <0.57.13/0.58.x-0.58.6 - Info Disclosure
CVSS 7.7
CVE-2025-12107 HIGH
Velocity Template Engine - Code Injection
CVSS 8.4
CVE-2026-1868 CRITICAL
GitLab AI Gateway <18.6.1-18.8.0 - DoS/Code Execution
CVSS 9.9
CVE-2026-25731 HIGH
Calibre <9.2.0 - Code Injection
CVSS 7.8
CVE-2026-25526 CRITICAL
JinJava <2.7.6, <2.8.3 - RCE
CVSS 9.8
CVE-2025-69516 HIGH
Amidaware Tactical RMM <=1.3.1 - SSTI
CVSS 8.8
CVE-2025-46699 MEDIUM
Dell Data Protection Advisor <19.12 - Info Disclosure
CVSS 4.3
CVE-2025-64087 CRITICAL
opensagres XDocReport <2.1.0 - SSTI
CVSS 9.8
CVE-2026-23626 MEDIUM
Kimai <2.46.0 - Code Injection
CVSS 6.8
CVE-2026-22244 HIGH
Open-metadata Openmetadata < 1.11.4 - Remote Code Execution
CVSS 7.2
CVE-2025-68454 HIGH
Craftcms Craft Cms < 4.16.17 - Remote Code Execution
CVSS 8.8
CVE-2026-21450 CRITICAL
Webkul Bagisto < 2.3.10 - Remote Code Execution
CVSS 9.8
CVE-2026-21449 HIGH
Bagisto <2.3.10 - SSRF
CVSS 8.8
CVE-2026-21448 CRITICAL
Webkul Bagisto < 2.3.10 - Remote Code Execution
CVSS 9.8
Details
Vulnerabilities 133
Links
MITRE CWE Entry Search this CWE With Exploits