Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-1336

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

Parent: CWE-94 - Improper Control of Generation of Code ('Code Injection')

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

175 vulnerabilities with CWE-1336

CVE-2026-41065 HIGH

Tautulli Vulnerable to Unauthenticated/Authenticated Remote Code Execution via Newsletter Custom Template Directory

CVE-2026-34906 CRITICAL

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia

CVE-2026-42252 CRITICAL

Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern

CVE-2026-45697 CRITICAL

Formie: Pre-authenticated server-side template injection in Hidden fields

CVE-2026-49382 MEDIUM

Jetbrains IntelliJ Idea < 2026.1 - Improper Neutralization of Special Elements Used in a Template Engine

CVE-2026-45312 CRITICAL

RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution

CVE-2026-9558 CRITICAL

Mautic - Authenticated Server-Side Template Injection via Theme Engine

CVE-2026-44209 HIGH

Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI

CVE-2026-44723 MEDIUM

Vowpal Wabbit: Shell injection via crafted PR title in python_checks.yml allows arbitrary command execution on CI runner

CVE-2026-9498 MEDIUM

Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in a template engine

CVE-2026-29207 MEDIUM

Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component

CVE-2026-8740 MEDIUM

Sanluan PublicCMS templateResult API TemplateResultDirective.java execute special elements used in a template engine

CVE-2026-45714 CRITICAL

CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CVE-2026-44377 CRITICAL

CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CVE-2026-41901 CRITICAL

Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions

CVE-2026-41713 HIGH

VMware Spring AI - Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor

CVE-2026-44129 HIGH

SEPPmail Secure Email Gateway - Server-Side Template Injection

CVE-2026-44916 LOW

Openstack Ironic < 35.0.1 - Improper Neutralization of Special Elements Used in a Template Engine

CVE-2026-42203 HIGH

LiteLLM: Server-Side Template Injection in /prompts/test endpoint

CVE-2026-6984 MEDIUM

AstrBotDevs AstrBot Dashboard API t2i.py create_template special elements used in a template engine

CVE-2026-41318 MEDIUM

AnythingLLM < 1.12.1 - Stored DOM XSS in Chart Caption Renderer

CVE-2026-34587 HIGH

Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

CVE-2026-40602 MEDIUM

hass-cli: Handling of user-supplied Jinja2 templates

CVE-2026-40478 CRITICAL

Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

CVE-2026-40477 CRITICAL

Improper restriction of the scope of accessible objects in Thymeleaf expressions

Page 1 of 7 Next

Details

Vulnerabilities 175

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy