Template-Injection

A remote code execution vulnerability exists in LiquidJS versions prior to 10.26.0, where crafted templates can execute arbitrary code by manipulating the `valueOf` filter and leveraging function calls via a comparable gadget.

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution (CVE-2026-6169) due to the use of the BladeOne templating engine's runString() method, which allows authenticated attackers with Editor-level access or higher to execute arbitrary PHP code by injecting it into a plugin template.

A malicious user with permission to edit the `local-path-config` ConfigMap in the `local-path-storage` namespace can manipulate the `helperPod.yaml` template used by `rancher/local-path-provisioner`. Security-sensitive fields such as `securityContext.privileged`, `hostPath` volumes, and Linux capabilities can be injected into the template, leading to a privileged pod running on the target node with the host root filesystem mounted.

The FileSystemLoader in python-liquid versions before 2.2.0 allows malicious template authors to read arbitrary files outside the search paths via the `{% include %}` and `{% render %}` tags by using absolute paths; this is resolved in version 2.2.0 by checking for absolute paths in the `resolve_path()` method.

Jdbi's freemarker module is vulnerable to arbitrary command execution when an application permits attacker-influenced text to reach FreemarkerEngine.parse() as template source, affecting org.jdbi:jdbi3-freemarker through version 3.52.1 and potentially leading to RCE.

NetBox versions 4.3.5 through 4.5.4 are vulnerable to remote code execution (RCE) via template injection, where authenticated users with specific permissions can inject malicious Python callables into template parameters, bypassing Jinja2 sandboxing to execute arbitrary code.

A server-side template injection (SSTI) vulnerability exists in Kirby CMS within the option rendering feature due to double template resolution in option fields (checkboxes, color, multiselect, select, radio, tags, or toggles) when using options from a query or API with untrusted values, potentially allowing attackers to inject malicious queries.

PraisonAI before version 4.5.128 is vulnerable to supply chain attacks due to treating remotely fetched template files as trusted executable code without proper verification, enabling exploitation via malicious templates.

GLPI versions 11.0.0 to before 11.0.6 are vulnerable to remote code execution (RCE) via template injection by an authenticated administrator, allowing for arbitrary code execution on the server.

CVE-2026-4800 allows attackers to inject arbitrary code at template compilation time via untrusted input passed as key names in the options.imports object of the _.template function in lodash versions prior to 4.18.0, potentially leading to remote code execution.

A vulnerability in Incus versions prior to 6.23.0 allows for arbitrary read and write access as root on the host server by exploiting a missing chroot isolation in the pongo2 template engine.

A server-side template injection vulnerability in LiteLLM versions 1.80.5 to before 1.83.7 allows authenticated users to execute arbitrary code within the LiteLLM Proxy process via a crafted prompt template, potentially exposing sensitive information and enabling command execution on the host.

A server-side template injection vulnerability exists in Thymeleaf versions up to 3.1.4.RELEASE due to improper neutralization of specific constructs, allowing the execution of potentially dangerous expressions in sandboxed contexts if unsanitized variables are passed to the template engine.

A vulnerability in liquidjs versions prior to 10.25.7 allows for denial of service due to a circular block reference in the layout, causing an infinite recursive loop that exhausts memory and crashes the Node.js process.

Beghelli Sicuro24 SicuroWeb is vulnerable to arbitrary JavaScript execution due to embedding an end-of-life AngularJS 1.5.2 component with known sandbox escape primitives combined with template injection, enabling attackers to compromise operator browser sessions via MITM attacks.