CVE-2021-46703

CRITICAL

Antaris RazorEngine <4.5.1-alpha001 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-46703. PoCs published by BenEdridge.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2021-46703, a vulnerability in RazorEngine that allows remote code execution through template injection. The exploit leverages nested template compilation and sandbox bypass techniques to execute arbitrary code.

Description

In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Exploits (1)

nomisec WORKING POC
by BenEdridge · poc
https://github.com/BenEdridge/CVE-2021-46703

This repository contains a proof-of-concept exploit for CVE-2021-46703, a vulnerability in RazorEngine that allows remote code execution through template injection. The exploit leverages nested template compilation and sandbox bypass techniques to execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RazorEngine (versions affected by CVE-2021-46703)
No auth needed
Prerequisites: Access to a system running vulnerable RazorEngine · Ability to supply malicious template input
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Antaris/RazorEngine/issues/585

Scores

CVSS v3 9.8
EPSS 0.0142
EPSS Percentile 81.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (3)
nuget/RazorEngine 0NuGet
razorengine_project/razorengine 4.5.1 alpha001
razorengine_project/razorengine < 4.5.1
Published Mar 06, 2022
Tracked Since Feb 18, 2026