{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ssti/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms"],"_cs_severities":["high"],"_cs_tags":["ssti","kirby","template-injection"],"_cs_type":"advisory","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eA server-side template injection (SSTI) vulnerability has been identified in Kirby CMS affecting sites using option fields (checkboxes, color, multiselect, select, radio, tags, or toggles) with options sourced from queries or APIs where the values cannot be fully trusted. This vulnerability, discovered and reported by @offset, stems from a double resolution of templates within the options rendering logic. An attacker with Panel access or through user interaction can inject malicious query templates. This can lead to unauthorized access to sensitive information (like user passwords) or malicious modification of site content. The vulnerability affects Kirby CMS versions prior to 4.9.0 and versions between 5.0.0 and 5.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the Kirby Panel, or convinces a user with access to interact with a malicious element.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a page or blueprint using dynamic options for form fields (checkboxes, selects, etc.) sourced from a query or API.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious query template, such as \u003ccode\u003e{{ users.first.password }}\u003c/code\u003e or \u003ccode\u003e{{ page.delete }}\u003c/code\u003e, into a page title or data returned from an external API.\u003c/li\u003e\n\u003cli\u003eThe administrator or another privileged user navigates to the affected Panel view, triggering the rendering of the form field with the injected malicious template.\u003c/li\u003e\n\u003cli\u003eThe Kirby CMS options logic improperly double-resolves the template, executing the injected query.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information, such as user passwords, or triggers unauthorized actions like page deletion, depending on the injected query.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by exploiting the compromised user\u0026rsquo;s session or by directly accessing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow attackers to access sensitive site information, such as user credentials, or perform unauthorized actions, like modifying or deleting content. This could lead to a complete compromise of the Kirby CMS website and its data. The vulnerability specifically targets sites that leverage dynamic options for form fields, making them susceptible to malicious query injection. Sites running vulnerable versions of Kirby CMS are at risk of information disclosure and unauthorized modification.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.0 or 5.4.0 or later to patch the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-jcjw-58rv-c452\"\u003ehttps://github.com/advisories/GHSA-jcjw-58rv-c452\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to all data sources used for dynamic options to prevent the injection of malicious templates and mitigate CVE-2026-34587.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as requests containing template syntax or attempts to access sensitive information, to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T21:24:37Z","date_published":"2026-04-23T21:24:37Z","id":"/briefs/2026-04-kirby-ssti/","summary":"A server-side template injection (SSTI) vulnerability exists in Kirby CMS within the option rendering feature due to double template resolution in option fields (checkboxes, color, multiselect, select, radio, tags, or toggles) when using options from a query or API with untrusted values, potentially allowing attackers to inject malicious queries.","title":"Kirby CMS Server-Side Template Injection via Double Template Resolution","url":"https://feed.craftedsignal.io/briefs/2026-04-kirby-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssti","bentoml","code-execution","docker"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBentoML versions 1.4.37 and earlier contain a critical vulnerability related to server-side template injection (SSTI). The vulnerability stems from the use of an unsandboxed Jinja2 environment within the \u003ccode\u003egenerate_containerfile()\u003c/code\u003e function, which is responsible for creating Dockerfiles. By crafting a malicious bento archive containing a specially crafted \u003ccode\u003edockerfile_template\u003c/code\u003e, an attacker can inject arbitrary Python code that executes directly on the host machine when a victim imports and containerizes the bento using \u003ccode\u003ebentoml containerize\u003c/code\u003e. This vulnerability bypasses all container isolation mechanisms and gives the attacker full access to the host\u0026rsquo;s filesystem, environment variables, and potentially other sensitive information. The lack of input validation during the import process allows the malicious template to be embedded within the bento archive undetected until the containerization process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003ebentofile.yaml\u003c/code\u003e file containing a \u003ccode\u003edockerfile_template\u003c/code\u003e directive pointing to a Jinja2 template with an SSTI payload.\u003c/li\u003e\n\u003cli\u003eThe attacker builds a bento using \u003ccode\u003ebentoml build\u003c/code\u003e, which copies the malicious template into the bento archive at \u003ccode\u003eenv/docker/Dockerfile.template\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker exports the bento as a \u003ccode\u003e.bento\u003c/code\u003e or \u003ccode\u003e.tar.gz\u003c/code\u003e archive and distributes it to victims.\u003c/li\u003e\n\u003cli\u003eA victim imports the malicious bento archive using \u003ccode\u003ebentoml import bento.tar\u003c/code\u003e. No validation of the template content is performed during the import.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to containerize the imported bento using \u003ccode\u003ebentoml containerize\u003c/code\u003e, triggering the \u003ccode\u003econstruct_containerfile()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econstruct_containerfile()\u003c/code\u003e function detects the presence of the \u003ccode\u003eDockerfile.template\u003c/code\u003e and sets the \u003ccode\u003edockerfile_template\u003c/code\u003e attribute in the Docker options.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egenerate_containerfile()\u003c/code\u003e function loads the attacker-controlled template into an unsandboxed Jinja2 environment.\u003c/li\u003e\n\u003cli\u003eThe template is rendered, resulting in arbitrary Python code execution on the victim\u0026rsquo;s host machine, outside of any containerized environment. This allows the attacker to achieve full host compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows arbitrary code execution on the host machine of any user who imports and containerizes the malicious bento archive. This provides the attacker with: full access to the host filesystem, the ability to install backdoors or pivot to other systems, and access to sensitive information such as credentials and API keys stored in environment variables. Due to the placement of the malicious code within a bento archive, and the nature of the containerize operation, users may be unaware of the risk and impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patched version of BentoML (later than 1.4.37) to remediate CVE-2026-35044.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect BentoML SSTI Payload in Dockerfile Template\u0026rdquo; to identify potentially malicious Jinja2 templates being written to disk.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of suspicious commands originating from the \u003ccode\u003ebentoml\u003c/code\u003e process, particularly after importing a bento archive, to catch potential exploitation attempts using the rule \u0026ldquo;Detect Suspicious Process Execution from BentoML\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for any user-provided templates or configuration files to prevent server-side template injection vulnerabilities, as described in the overview.\u003c/li\u003e\n\u003cli\u003eReview and restrict the extensions used within the Jinja2 environment to only those absolutely necessary for Dockerfile generation, following the recommended fix in the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T23:14:15Z","date_published":"2026-04-03T23:14:15Z","id":"/briefs/2024-02-bentoml-ssti/","summary":"BentoML versions 1.4.37 and earlier are vulnerable to server-side template injection (SSTI), where the Dockerfile generation function uses an unsandboxed jinja2.Environment allowing arbitrary Python code execution on the host machine when a malicious bento archive is imported and containerized, bypassing container isolation and potentially granting full access to the host filesystem and environment variables.","title":"BentoML SSTI via Unsandboxed Jinja2 in Dockerfile Generation","url":"https://feed.craftedsignal.io/briefs/2024-02-bentoml-ssti/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4257"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssti","wordpress","rce","twig"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Contact Form by Supsystic plugin, a popular WordPress plugin, is susceptible to a critical Server-Side Template Injection (SSTI) vulnerability, identified as CVE-2026-4257. This vulnerability affects all versions up to and including 1.7.36. The root cause lies in the plugin\u0026rsquo;s use of the Twig template engine (\u003ccode\u003eTwig_Loader_String\u003c/code\u003e) without proper sandboxing. This, combined with the \u003ccode\u003ecfsPreFill\u003c/code\u003e functionality, allows unauthenticated attackers to inject arbitrary Twig expressions into form…\u003c/p\u003e\n","date_modified":"2026-03-30T22:16:20Z","date_published":"2026-03-30T22:16:20Z","id":"/briefs/2026-03-ssti-wordpress/","summary":"The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).","title":"Contact Form by Supsystic WordPress Plugin SSTI Vulnerability (CVE-2026-4257)","url":"https://feed.craftedsignal.io/briefs/2026-03-ssti-wordpress/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssti","jinja2","rce","giskard-agents","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe giskard-agents library, specifically versions 0.3.3 and earlier, along with versions 1.0.1a1 through 1.0.2a1, contains a critical vulnerability related to server-side template injection. The \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method within the library directly passes user-provided strings to a non-sandboxed Jinja2 Environment. This design flaw allows a malicious actor to inject arbitrary Jinja2 templates into the message, which, when rendered, can lead to remote code execution (RCE) on the server hosting the application. This vulnerability exists because the \u003ccode\u003echat()\u003c/code\u003e method, intended for processing user input, inadvertently interprets the input as a Jinja2 template due to the usage of \u003ccode\u003e_inline_env.from_string()\u003c/code\u003e. Defenders should be aware of applications using the vulnerable \u003ccode\u003echat()\u003c/code\u003e method which creates the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious string containing a Jinja2 payload designed for RCE.\u003c/li\u003e\n\u003cli\u003eThe attacker inputs the malicious string into a user interface or API endpoint that utilizes the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe application passes the attacker-controlled string to the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e creates a \u003ccode\u003eMessageTemplate\u003c/code\u003e object with the attacker\u0026rsquo;s string as the \u003ccode\u003econtent_template\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erender()\u003c/code\u003e method of the \u003ccode\u003eMessageTemplate\u003c/code\u003e object calls \u003ccode\u003e_inline_env.from_string()\u003c/code\u003e on the attacker-controlled string, creating a Jinja2 template.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etemplate.render()\u003c/code\u003e method is invoked, executing the attacker\u0026rsquo;s Jinja2 payload due to the non-sandboxed Jinja2 Environment.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload leverages Jinja2 class traversal to gain access to sensitive modules like \u003ccode\u003eos\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary system commands via \u003ccode\u003eos.popen()\u003c/code\u003e (or equivalent), achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary system commands on the server hosting the affected application. This could lead to complete compromise of the server, including data theft, modification, or destruction. The severity of the impact is critical, potentially affecting any application that relies on giskard-agents for chatbot functionality and exposes the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method to user input. Affected versions include giskard-agents \u0026lt;=0.3.3 and 1.0.x alpha. Patched versions are giskard-agents 0.3.4 (stable) and 1.0.2b1 (pre-release).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade giskard-agents to version 0.3.4 or 1.0.2b1, which includes the fix mitigating the vulnerability described in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Giskard Agents SSTI Attempt via Jinja2 Class Traversal\u003c/code\u003e to detect exploitation attempts via \u003ccode\u003ewebserver\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize user inputs passed to the \u003ccode\u003eChatWorkflow.chat()\u003c/code\u003e method to prevent Jinja2 template injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T22:17:30Z","date_published":"2026-03-27T22:17:30Z","id":"/briefs/2024-01-02-giskard-ssti/","summary":"Giskard-agents versions 0.3.3 and earlier, and versions 1.0.1a1 through 1.0.2a1 are vulnerable to remote code execution via server-side template injection where the ChatWorkflow.chat() method passes user-supplied strings directly to a non-sandboxed Jinja2 Environment, allowing attackers to execute arbitrary code on the server.","title":"Giskard-agents ChatWorkflow.chat() Server-Side Template Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-02-giskard-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["LiteLLM"],"_cs_severities":["high"],"_cs_tags":["ssti","litellm","template-injection","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA server-side template injection (SSTI) vulnerability has been identified in LiteLLM versions 1.80.5 up to, but not including, 1.83.7. This flaw resides within the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, which processes user-supplied prompt templates. Due to insufficient input sanitization, a malicious actor with a valid proxy API key can inject arbitrary code into the template, leading to its execution within the LiteLLM Proxy process. This vulnerability was disclosed on April 24, 2026. Successful exploitation can compromise the proxy\u0026rsquo;s environment, potentially exposing sensitive credentials like provider API keys and database passwords, or allowing arbitrary command execution on the host system. Organizations using affected versions of LiteLLM are at risk. The vulnerability is addressed in version 1.83.7-stable by implementing a sandboxed template renderer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the LiteLLM proxy server using a valid API key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt template containing SSTI payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, including the crafted template in the request body.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy server receives the request and processes the template without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe SSTI payload executes arbitrary code within the LiteLLM proxy process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to environment variables containing sensitive information, such as API keys and database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed credentials to gain unauthorized access to external services or data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the host system, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSTI vulnerability allows attackers to execute arbitrary code within the LiteLLM Proxy process. This can lead to the exposure of sensitive information such as API keys and database credentials, potentially enabling unauthorized access to other systems and data. Furthermore, attackers can execute arbitrary commands on the host, leading to full system compromise. The impact is significant for organizations relying on LiteLLM for managing and routing AI model requests, as it could result in data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version \u003ccode\u003e1.83.7-stable\u003c/code\u003e or later to patch the vulnerability, as this version implements a sandboxed template renderer (see Patches).\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block \u003ccode\u003ePOST /prompts/test\u003c/code\u003e at your reverse proxy or API gateway to prevent exploitation attempts (see Workarounds).\u003c/li\u003e\n\u003cli\u003eReview and rotate API keys that should not have access to prompt management routes to limit the potential impact of compromised keys (see Workarounds).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM SSTI Attempts via /prompts/test\u0026rdquo; to your SIEM to identify potential exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-05T12:00:00Z","date_published":"2024-11-05T12:00:00Z","id":"/briefs/2024-11-litellm-ssti/","summary":"A server-side template injection vulnerability in LiteLLM versions 1.80.5 to before 1.83.7 allows authenticated users to execute arbitrary code within the LiteLLM Proxy process via a crafted prompt template, potentially exposing sensitive information and enabling command execution on the host.","title":"LiteLLM Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-11-litellm-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["thymeleaf (\u003c= 3.1.4.RELEASE)","thymeleaf-spring5 (\u003c= 3.1.4.RELEASE)","thymeleaf-spring6 (\u003c= 3.1.4.RELEASE)"],"_cs_severities":["critical"],"_cs_tags":["ssti","template-injection","thymeleaf","cve-2026-41901"],"_cs_type":"advisory","_cs_vendors":["org.thymeleaf"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-41901, has been identified in Thymeleaf, a Java template engine, affecting versions up to and including 3.1.4.RELEASE. This vulnerability allows for Server-Side Template Injection (SSTI) due to the improper neutralization of specific syntax patterns within sandboxed expression execution. Specifically, the library fails to properly sanitize certain constructs, allowing potentially dangerous expressions to be executed even within supposedly restricted contexts. This poses a significant risk if application developers pass unsanitized variables to the template engine and these variables are then utilized in sandboxed areas within the templates. Successful exploitation can lead to arbitrary code execution on the server. All users of affected versions are strongly advised to upgrade to version 3.1.5.RELEASE as soon as possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of Thymeleaf (\u0026lt;= 3.1.4.RELEASE).\u003c/li\u003e\n\u003cli\u003eThe attacker locates a template within the application that uses Thymeleaf\u0026rsquo;s expression evaluation within a sandboxed context.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an input field or parameter that passes data to the Thymeleaf template engine.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a Thymeleaf expression designed to bypass the sandbox restrictions. This payload may utilize specific syntax patterns not properly neutralized by the vulnerable Thymeleaf version.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted payload into the identified input field.\u003c/li\u003e\n\u003cli\u003eThe application processes the attacker-controlled input via the Thymeleaf template engine.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the malicious Thymeleaf expression is executed despite the intended sandboxing.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, potentially gaining full control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41901 can lead to complete system compromise. An attacker could potentially execute arbitrary code, install malware, steal sensitive data, or disrupt application services. The vulnerability affects any application using Thymeleaf versions up to 3.1.4.RELEASE, potentially impacting numerous organizations across various sectors. The lack of proper input sanitization is the root cause, which can be difficult to identify and mitigate without patching the underlying Thymeleaf library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Thymeleaf to version 3.1.5.RELEASE or later to patch CVE-2026-41901.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, review and sanitize all data passed to the Thymeleaf template engine to prevent the injection of malicious expressions. However, this workaround is not a complete solution and upgrading is strongly recommended.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Thymeleaf Template Injection Attempts\u0026rdquo; to identify potential exploitation attempts in web server logs, focusing on HTTP requests containing suspicious patterns related to Thymeleaf expressions.\u003c/li\u003e\n\u003cli\u003eEnable verbose logging on your web servers to capture detailed information about HTTP requests and responses, which can aid in identifying and investigating potential template injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-thymeleaf-ssti/","summary":"A server-side template injection vulnerability exists in Thymeleaf versions up to 3.1.4.RELEASE due to improper neutralization of specific constructs, allowing the execution of potentially dangerous expressions in sandboxed contexts if unsanitized variables are passed to the template engine.","title":"Thymeleaf Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-thymeleaf-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-api (\u003e= 2.7.0, \u003c 2.7.9)","openmrs-api (\u003e= 2.8.0, \u003c 2.8.6)"],"_cs_severities":["critical"],"_cs_tags":["ssti","rce","velocity","openmrs"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS is vulnerable to a critical security flaw stemming from the unsafe use of Apache Velocity templates. Specifically, the \u003ccode\u003eConceptReferenceRangeUtility.evaluateCriteria()\u003c/code\u003e method processes database-stored criteria strings as Velocity templates without any sandbox restrictions. This allows for unrestricted Java reflection through template expressions. A user possessing the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege can inject a malicious Velocity template expression into a concept\u0026rsquo;s reference range criteria field. This payload will then execute automatically whenever a user or an API call validates an observation against the compromised concept. This issue impacts OpenMRS versions 2.7.0 through 2.7.8, and 2.8.0 through 2.8.5. Successful exploitation allows an attacker to escalate privileges from content management to arbitrary code execution as the Tomcat application server process, with the potential for exfiltration of protected health information (PHI). The vulnerability is identified as CVE-2026-41258.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an OpenMRS account with the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the concept dictionary management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a commonly used concept, such as one for a standard clinical measurement.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the concept and injects a malicious Velocity template expression into the concept\u0026rsquo;s reference range criteria field. The expression leverages Java reflection to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe malicious template is saved and stored in the \u003ccode\u003econcept_reference_range\u003c/code\u003e database table.\u003c/li\u003e\n\u003cli\u003eA user or API call validates an observation against the affected concept, triggering the execution of the stored Velocity template.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the Tomcat application server process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing a web shell for persistent access or exfiltrating patient data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for persistent remote code execution on the OpenMRS server. The injected payload persists within the \u003ccode\u003econcept_reference_range\u003c/code\u003e database table (VARCHAR 65535). A single compromised concept, especially one used for common clinical measurements, can lead to the execution of the malicious payload on every subsequent observation validation across all users, API clients, and integrations. This affects all facilities using the compromised OpenMRS instance. The attacker can escalate privileges from content dictionary management to arbitrary code execution and potentially exfiltrate PHI data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMRS to version 2.8.6 or 2.7.9 or later to patch CVE-2026-41258.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003eManage Concepts\u003c/code\u003e privilege to only authorized users, as mentioned in the advisory\u0026rsquo;s workarounds.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule detecting Velocity template injection attempts to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement database monitoring to detect unauthorized modifications to the \u003ccode\u003econcept_reference_range\u003c/code\u003e table to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openmrs-ssti/","summary":"OpenMRS is vulnerable to a Stored Velocity SSTI to RCE via ConceptReferenceRange, where the `ConceptReferenceRangeUtility.evaluateCriteria()` method evaluates database-stored criteria strings as Apache Velocity templates without a sandbox, allowing unrestricted Java reflection through template expressions, leading to persistent remote code execution and privilege escalation when a user with the `Manage Concepts` privilege stores a malicious Velocity template expression in a concept's reference range criteria field.","title":"OpenMRS Stored Velocity SSTI to RCE via ConceptReferenceRange","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed — Ssti","version":"https://jsonfeed.org/version/1.1"}