Description
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
Scores
CVSS v3
9.1
EPSS
0.0005
EPSS Percentile
16.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1336
Status
published
Products (1)
elastic/elastic_cloud_enterprise
2.5.0 - 3.8.2
Published
Oct 13, 2025
Tracked Since
Feb 18, 2026