CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

Parent: CWE-94 - Improper Control of Generation of Code ('Code Injection')

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

155 vulnerabilities with CWE-1336
CVE-2026-6984 MEDIUM
AstrBotDevs AstrBot Dashboard API t2i.py create_template special elements used in a template engine
CVSS 4.7
CVE-2026-41318 MEDIUM
AnythingLLM < 1.12.1 - Stored DOM XSS in Chart Caption Renderer
CVSS 5.4
CVE-2026-34587 HIGH
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
CVSS 8.1
CVE-2026-40602 MEDIUM
hass-cli: Handling of user-supplied Jinja2 templates
CVSS 5.6
CVE-2026-40478 CRITICAL
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
CVSS 9.0
CVE-2026-40477 CRITICAL
Improper restriction of the scope of accessible objects in Thymeleaf expressions
CVSS 9.0
CVE-2026-40320 HIGH
Giskard has an Unsandboxed Jinja2 Template Rendering in ConformityCheck
CVSS 7.8
CVE-2026-33392 HIGH
JetBrains YouTrack <2025.3.131383 - RCE
CVSS 7.2
CVE-2026-5987 MEDIUM
Sanluan PublicCMS FreeMarker Template AbstractFreemarkerView.java AbstractFreemarkerView.doRender special elements used in a template engine
CVSS 4.7
CVE-2026-40087 MEDIUM
LangChain has incomplete f-string validation in prompt templates
CVSS 5.3
CVE-2026-39980 CRITICAL
OpenCTI affected by RCE via notifier template
CVSS 9.1
CVE-2026-35477 MEDIUM
InvenTree has SSTI in PART_NAME_FORMAT bypasses CVE-2026-27629 fix via {% if part.pk %} sandbox escape
CVSS 5.5
CVE-2026-34724 HIGH
Zammad has a server-side template injection leading to RCE via AI Agent
CVSS 7.2
CVE-2026-35044 HIGH
BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation
CVSS 8.8
CVE-2026-26026 CRITICAL
GLPI has a Server-Side Template Injection via Double-Compilation
CVSS 9.1
CVE-2026-5559 MEDIUM
AntaresMugisho PyBlade AST Validation sandbox.py _is_safe_ast special elements used in a template engine
CVSS 6.3
CVE-2026-28797 HIGH
RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component
CVSS 8.8
CVE-2026-34202 HIGH
Zebra node crash — V5 transaction hash panic (P2P reachable)
CVSS 7.5
CVE-2026-34172 HIGH
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment
CVSS 8.8
CVE-2026-28228 HIGH
OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution
CVSS 8.8
CVE-2026-33654 CRITICAL
Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling
CVSS 9.8
CVE-2026-33897 CRITICAL
Incus vulnerable to arbitrary file read and write through pongo templates
CVSS 9.9
CVE-2026-33154 HIGH
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
CVSS 7.5
CVE-2026-33130 MEDIUM
Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)
CVSS 6.5
CVE-2026-32261 HIGH
RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
Details
Vulnerabilities 155
Links
MITRE CWE Entry Search this CWE With Exploits