CVE-2019-8341

CRITICAL

Jinja2 - Server-Side Template Injection via from_string Function

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-8341. PoCs published by JameelNabbo, adindrabkin.

AI-analyzed exploit summary This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in Jinja2's `from_string` function, allowing arbitrary code execution via crafted template expressions. The PoC includes examples for command injection, file reading, and reverse shell execution.

Description

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

Exploits (2)

exploitdb WORKING POC

by JameelNabbo · pythonwebappspython

https://www.exploit-db.com/exploits/46386

View Code ZIP pw:eip

This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in Jinja2's `from_string` function, allowing arbitrary code execution via crafted template expressions. The PoC includes examples for command injection, file reading, and reverse shell execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Jinja2 2.10

No auth needed

Prerequisites: A web application using Jinja2's `from_string` function with user-controlled input

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by adindrabkin · poc

https://github.com/adindrabkin/llama_facts

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2019-8341, demonstrating Server-Side Template Injection (SSTI) in a Flask application. The vulnerability arises from unsafe use of `render_template_string` with user-controlled input in the search functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Custom Flask application (Llama Facts)

No auth needed

Prerequisites: Docker installed · Network access to the target application

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Broken Link x_refsource_misc

https://github.com/JameelNabbo/Jinja2-Code-execution

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46386/

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html

Issue Tracking, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=1677653

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.suse.com/show_bug.cgi?id=1125815

Scores

CVSS v3 9.8

EPSS 0.4478

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (3)

opensuse/leap 15.0

opensuse/leap 42.3

pocoo/jinja2 2.10

Published Feb 15, 2019

Tracked Since Feb 18, 2026