{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/template-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-29514"}],"_cs_exploited":false,"_cs_products":["NetBox (4.3.5 - 4.5.4)"],"_cs_severities":["critical"],"_cs_tags":["rce","template-injection","netbox","cve-2026-29514"],"_cs_type":"advisory","_cs_vendors":["NetBox"],"content_html":"\u003cp\u003eNetBox, a widely-used infrastructure resource modeling application, is vulnerable to remote code execution (RCE) in versions 4.3.5 through 4.5.4. This vulnerability, identified as CVE-2026-29514, resides in the \u003ccode\u003eRenderTemplateMixin.get_environment_params()\u003c/code\u003e method. An authenticated attacker with \u003ccode\u003eexporttemplate\u003c/code\u003e or \u003ccode\u003econfigtemplate\u003c/code\u003e permissions can exploit this flaw by injecting malicious Python callables into the \u003ccode\u003eenvironment_params\u003c/code\u003e field. Successful exploitation allows the attacker to bypass the Jinja2 SandboxedEnvironment, achieving arbitrary code execution as the NetBox service user. This RCE can lead to complete system compromise, data exfiltration, or denial of service. Defenders should prioritize patching and implement the detection measures outlined below.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the NetBox web application with \u003ccode\u003eexporttemplate\u003c/code\u003e or \u003ccode\u003econfigtemplate\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to modify or create an export/config template.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects a Python callable, such as \u003ccode\u003esubprocess.getoutput\u003c/code\u003e, into the \u003ccode\u003eenvironment_params\u003c/code\u003e field. The \u003ccode\u003efinalize\u003c/code\u003e parameter of the Jinja2 environment is set to this callable.\u003c/li\u003e\n\u003cli\u003eNetBox processes the request, and the Jinja2 environment is initialized with the attacker-controlled \u003ccode\u003efinalize\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eWhen the template is rendered, every expression outside the sandbox\u0026rsquo;s call interception mechanism is processed.\u003c/li\u003e\n\u003cli\u003eThe injected callable (\u003ccode\u003esubprocess.getoutput\u003c/code\u003e) is invoked on the rendered expression.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubprocess.getoutput\u003c/code\u003e callable executes arbitrary shell commands as the NetBox service user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, potentially leading to full system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29514 allows an authenticated attacker to execute arbitrary code on the NetBox server. The impact includes potential full system compromise, data exfiltration, and denial of service. Given that NetBox is often used to manage critical infrastructure information, a successful attack could have significant consequences, potentially affecting numerous organizations that rely on accurate network data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NetBox to a patched version (4.5.5 or later) to remediate CVE-2026-29514.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect attempts to inject malicious callables into \u003ccode\u003eenvironment_params\u003c/code\u003e via webserver logs.\u003c/li\u003e\n\u003cli\u003eReview and restrict \u003ccode\u003eexporttemplate\u003c/code\u003e and \u003ccode\u003econfigtemplate\u003c/code\u003e permissions to only those users who require them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:16:22Z","date_published":"2026-05-04T17:16:22Z","id":"/briefs/2026-05-netbox-rce/","summary":"NetBox versions 4.3.5 through 4.5.4 are vulnerable to remote code execution (RCE) via template injection, where authenticated users with specific permissions can inject malicious Python callables into template parameters, bypassing Jinja2 sandboxing to execute arbitrary code.","title":"NetBox RCE via Jinja2 Template Injection (CVE-2026-29514)","url":"https://feed.craftedsignal.io/briefs/2026-05-netbox-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms"],"_cs_severities":["high"],"_cs_tags":["ssti","kirby","template-injection"],"_cs_type":"advisory","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eA server-side template injection (SSTI) vulnerability has been identified in Kirby CMS affecting sites using option fields (checkboxes, color, multiselect, select, radio, tags, or toggles) with options sourced from queries or APIs where the values cannot be fully trusted. This vulnerability, discovered and reported by @offset, stems from a double resolution of templates within the options rendering logic. An attacker with Panel access or through user interaction can inject malicious query templates. This can lead to unauthorized access to sensitive information (like user passwords) or malicious modification of site content. The vulnerability affects Kirby CMS versions prior to 4.9.0 and versions between 5.0.0 and 5.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the Kirby Panel, or convinces a user with access to interact with a malicious element.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a page or blueprint using dynamic options for form fields (checkboxes, selects, etc.) sourced from a query or API.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious query template, such as \u003ccode\u003e{{ users.first.password }}\u003c/code\u003e or \u003ccode\u003e{{ page.delete }}\u003c/code\u003e, into a page title or data returned from an external API.\u003c/li\u003e\n\u003cli\u003eThe administrator or another privileged user navigates to the affected Panel view, triggering the rendering of the form field with the injected malicious template.\u003c/li\u003e\n\u003cli\u003eThe Kirby CMS options logic improperly double-resolves the template, executing the injected query.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information, such as user passwords, or triggers unauthorized actions like page deletion, depending on the injected query.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by exploiting the compromised user\u0026rsquo;s session or by directly accessing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow attackers to access sensitive site information, such as user credentials, or perform unauthorized actions, like modifying or deleting content. This could lead to a complete compromise of the Kirby CMS website and its data. The vulnerability specifically targets sites that leverage dynamic options for form fields, making them susceptible to malicious query injection. Sites running vulnerable versions of Kirby CMS are at risk of information disclosure and unauthorized modification.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.0 or 5.4.0 or later to patch the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-jcjw-58rv-c452\"\u003ehttps://github.com/advisories/GHSA-jcjw-58rv-c452\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to all data sources used for dynamic options to prevent the injection of malicious templates and mitigate CVE-2026-34587.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as requests containing template syntax or attempts to access sensitive information, to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T21:24:37Z","date_published":"2026-04-23T21:24:37Z","id":"/briefs/2026-04-kirby-ssti/","summary":"A server-side template injection (SSTI) vulnerability exists in Kirby CMS within the option rendering feature due to double template resolution in option fields (checkboxes, color, multiselect, select, radio, tags, or toggles) when using options from a query or API with untrusted values, potentially allowing attackers to inject malicious queries.","title":"Kirby CMS Server-Side Template Injection via Double Template Resolution","url":"https://feed.craftedsignal.io/briefs/2026-04-kirby-ssti/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-40154"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-40154","template-injection","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is susceptible to a critical vulnerability (CVE-2026-40154) affecting versions prior to 4.5.128. The application\u0026rsquo;s design flaw involves treating remotely fetched template files as trusted executable code. This occurs without performing necessary security checks such as integrity verification, origin validation, or user confirmation. This lack of validation opens a significant attack vector, allowing for supply chain compromises. Attackers can inject malicious code into template files, leading to arbitrary code execution within the PraisonAI environment. The vulnerability was reported on April 9, 2026, and patched in version 4.5.128. Defenders should prioritize upgrading to the latest version to mitigate the risk of exploitation via crafted template files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a PraisonAI instance running a version prior to 4.5.128.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious template file containing arbitrary code. This could involve injecting shell commands or scripts designed to compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious template file on a remote server under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates PraisonAI to fetch the malicious template file. This could involve exploiting a configuration setting or tricking a user into initiating the download.\u003c/li\u003e\n\u003cli\u003ePraisonAI fetches the template file from the attacker\u0026rsquo;s server without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application treats the template file as trusted executable code.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the template is executed by PraisonAI, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the PraisonAI system and can perform actions such as data exfiltration, lateral movement, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40154 can result in a complete compromise of the PraisonAI system. This can lead to unauthorized access to sensitive data, disruption of services, and potential lateral movement within the network. The vulnerable software enables supply chain attacks, making it a critical issue for organizations relying on PraisonAI for their operations. The impact is amplified by the lack of user interaction required for the attack to succeed, with a CVSS v3.1 score of 9.3 highlighting the severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PraisonAI installations to version 4.5.128 or later to patch CVE-2026-40154.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect attempts to fetch template files from untrusted sources, using the network_connection log source and the IOCs if available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Template File Download\u0026rdquo; to identify suspicious network connections related to template file retrieval.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring on template files if available to detect unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:36Z","date_published":"2026-04-09T22:16:36Z","id":"/briefs/2026-04-praisonai-template-injection/","summary":"PraisonAI before version 4.5.128 is vulnerable to supply chain attacks due to treating remotely fetched template files as trusted executable code without proper verification, enabling exploitation via malicious templates.","title":"PraisonAI Template Injection Vulnerability (CVE-2026-40154)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-template-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-26026"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-26026","template-injection","rce","glpi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGLPI is a widely used open-source IT asset management software. A critical vulnerability, CVE-2026-26026, affects versions 11.0.0 to 11.0.5. This vulnerability stems from a template injection flaw that can be exploited by a logged-in administrator. Successful exploitation allows the administrator to achieve remote code execution (RCE) on the underlying server. The vulnerability was reported on April 6, 2026, and has been patched in version 11.0.6. Organizations using vulnerable versions of GLPI should upgrade immediately to prevent potential compromise. The high CVSS score (9.1) reflects the severity and potential impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to a vulnerable GLPI instance (versions 11.0.0 - 11.0.5).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a section of the GLPI interface that allows for template modification.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious template containing code injection payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified template within the GLPI system.\u003c/li\u003e\n\u003cli\u003eThe GLPI system processes the malicious template, executing the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code allows the attacker to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to gain persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26026 can lead to complete compromise of the GLPI server. This allows an attacker to gain unauthorized access to sensitive IT asset information, customer data, and potentially other systems on the network. The impact is significant, as it allows for data breaches, service disruption, and further lateral movement within the organization\u0026rsquo;s infrastructure. Given GLPI\u0026rsquo;s function in managing IT assets, this can result in widespread damage across the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26026.\u003c/li\u003e\n\u003cli\u003eReview and audit GLPI administrator accounts for any suspicious activity or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GLPI Template Injection Attempts\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to template management endpoints containing suspicious code constructs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Detect GLPI Template Injection RCE\u0026rdquo; rule in your SIEM.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the GLPI server to only authorized personnel and systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:07Z","date_published":"2026-04-06T15:17:07Z","id":"/briefs/2026-04-glpi-rce/","summary":"GLPI versions 11.0.0 to before 11.0.6 are vulnerable to remote code execution (RCE) via template injection by an authenticated administrator, allowing for arbitrary code execution on the server.","title":"GLPI Template Injection RCE (CVE-2026-26026)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4800"},{"cvss":7.2,"id":"CVE-2021-23337"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["lodash","template-injection","rce","cve-2026-4800"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4800 exposes a critical vulnerability within the \u003ccode\u003e_.template\u003c/code\u003e function of the lodash library in versions prior to 4.18.0. This vulnerability arises from insufficient validation when processing user-supplied input within the \u003ccode\u003eoptions.imports\u003c/code\u003e object. Specifically, while a fix for CVE-2021-23337 addressed validation for the \u003ccode\u003evariable\u003c/code\u003e option, it failed to extend the same rigorous checks to the key names within \u003ccode\u003eoptions.imports\u003c/code\u003e. Attackers can exploit this oversight by injecting malicious default-parameter expressions as key names in \u003ccode\u003eoptions.imports\u003c/code\u003e, triggering arbitrary code execution during the template compilation phase. This poses a significant risk, especially in applications that accept untrusted input to configure lodash templates, potentially leading to full system compromise. Furthermore, the vulnerability can be exacerbated if the \u003ccode\u003eObject.prototype\u003c/code\u003e is polluted, allowing inherited properties to be injected into the \u003ccode\u003eimports\u003c/code\u003e object, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe application receives untrusted input intended for use in a lodash template.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code within the key names of the \u003ccode\u003eoptions.imports\u003c/code\u003e object. This payload leverages the default parameter expression vulnerability.\u003c/li\u003e\n\u003cli\u003eThe application passes the attacker-controlled \u003ccode\u003eoptions.imports\u003c/code\u003e object to the \u003ccode\u003e_.template\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_.template\u003c/code\u003e function processes the \u003ccode\u003eoptions.imports\u003c/code\u003e without proper validation of the key names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eassignInWith\u003c/code\u003e function merges the provided imports, including the attacker-controlled key names and their malicious content, into the template context.\u003c/li\u003e\n\u003cli\u003eDuring template compilation, the JavaScript \u003ccode\u003eFunction()\u003c/code\u003e constructor is invoked, embedding the attacker\u0026rsquo;s injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the application, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage this code execution to perform actions such as installing malware, exfiltrating sensitive data, or compromising other parts of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4800 can lead to arbitrary code execution on the server or client machine where the vulnerable application is running. The severity of this vulnerability is high, as it allows attackers to potentially gain full control of the affected system. The number of potential victims is broad, including any application using a vulnerable version of lodash and processing untrusted input in template configurations. This could affect various sectors, including web applications, APIs, and server-side rendering frameworks. A successful attack could result in data breaches, service disruptions, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to lodash version 4.18.0 or later to patch CVE-2026-4800, which implements proper validation for \u003ccode\u003eoptions.imports\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on any data used to construct \u003ccode\u003eoptions.imports\u003c/code\u003e objects to prevent injection attacks.\u003c/li\u003e\n\u003cli\u003eApply the workaround by only using developer-controlled, static key names in \u003ccode\u003eoptions.imports\u003c/code\u003e to avoid passing untrusted input as key names.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Lodash Template Injection via options.imports\u003c/code\u003e to identify potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T20:16:29Z","date_published":"2026-03-31T20:16:29Z","id":"/briefs/2026-03-lodash-template-injection/","summary":"CVE-2026-4800 allows attackers to inject arbitrary code at template compilation time via untrusted input passed as key names in the options.imports object of the _.template function in lodash versions prior to 4.18.0, potentially leading to remote code execution.","title":"lodash _.template Function Injection Vulnerability (CVE-2026-4800)","url":"https://feed.craftedsignal.io/briefs/2026-03-lodash-template-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["incus","template-injection","privilege-escalation","CVE-2026-33897","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIncus, a system container and virtual machine manager, is vulnerable to arbitrary read and write access as root due to a flaw in its instance template handling. Prior to version 6.23.0, the application lacks proper chroot isolation when processing pongo2 templates. These templates, intended for file templating within instances during their lifecycle, bypass the expected chroot, granting access to the entire host filesystem with root privileges. This vulnerability, identified as CVE-2026-33897…\u003c/p\u003e\n","date_modified":"2026-03-26T23:16:20Z","date_published":"2026-03-26T23:16:20Z","id":"/briefs/2024-01-incus-template-vuln/","summary":"A vulnerability in Incus versions prior to 6.23.0 allows for arbitrary read and write access as root on the host server by exploiting a missing chroot isolation in the pongo2 template engine.","title":"Incus Instance Template Vulnerability CVE-2026-33897","url":"https://feed.craftedsignal.io/briefs/2024-01-incus-template-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["LiteLLM"],"_cs_severities":["high"],"_cs_tags":["ssti","litellm","template-injection","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA server-side template injection (SSTI) vulnerability has been identified in LiteLLM versions 1.80.5 up to, but not including, 1.83.7. This flaw resides within the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, which processes user-supplied prompt templates. Due to insufficient input sanitization, a malicious actor with a valid proxy API key can inject arbitrary code into the template, leading to its execution within the LiteLLM Proxy process. This vulnerability was disclosed on April 24, 2026. Successful exploitation can compromise the proxy\u0026rsquo;s environment, potentially exposing sensitive credentials like provider API keys and database passwords, or allowing arbitrary command execution on the host system. Organizations using affected versions of LiteLLM are at risk. The vulnerability is addressed in version 1.83.7-stable by implementing a sandboxed template renderer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the LiteLLM proxy server using a valid API key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt template containing SSTI payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, including the crafted template in the request body.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy server receives the request and processes the template without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe SSTI payload executes arbitrary code within the LiteLLM proxy process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to environment variables containing sensitive information, such as API keys and database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed credentials to gain unauthorized access to external services or data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the host system, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSTI vulnerability allows attackers to execute arbitrary code within the LiteLLM Proxy process. This can lead to the exposure of sensitive information such as API keys and database credentials, potentially enabling unauthorized access to other systems and data. Furthermore, attackers can execute arbitrary commands on the host, leading to full system compromise. The impact is significant for organizations relying on LiteLLM for managing and routing AI model requests, as it could result in data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version \u003ccode\u003e1.83.7-stable\u003c/code\u003e or later to patch the vulnerability, as this version implements a sandboxed template renderer (see Patches).\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block \u003ccode\u003ePOST /prompts/test\u003c/code\u003e at your reverse proxy or API gateway to prevent exploitation attempts (see Workarounds).\u003c/li\u003e\n\u003cli\u003eReview and rotate API keys that should not have access to prompt management routes to limit the potential impact of compromised keys (see Workarounds).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM SSTI Attempts via /prompts/test\u0026rdquo; to your SIEM to identify potential exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-05T12:00:00Z","date_published":"2024-11-05T12:00:00Z","id":"/briefs/2024-11-litellm-ssti/","summary":"A server-side template injection vulnerability in LiteLLM versions 1.80.5 to before 1.83.7 allows authenticated users to execute arbitrary code within the LiteLLM Proxy process via a crafted prompt template, potentially exposing sensitive information and enabling command execution on the host.","title":"LiteLLM Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-11-litellm-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["thymeleaf (\u003c= 3.1.4.RELEASE)","thymeleaf-spring5 (\u003c= 3.1.4.RELEASE)","thymeleaf-spring6 (\u003c= 3.1.4.RELEASE)"],"_cs_severities":["critical"],"_cs_tags":["ssti","template-injection","thymeleaf","cve-2026-41901"],"_cs_type":"advisory","_cs_vendors":["org.thymeleaf"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-41901, has been identified in Thymeleaf, a Java template engine, affecting versions up to and including 3.1.4.RELEASE. This vulnerability allows for Server-Side Template Injection (SSTI) due to the improper neutralization of specific syntax patterns within sandboxed expression execution. Specifically, the library fails to properly sanitize certain constructs, allowing potentially dangerous expressions to be executed even within supposedly restricted contexts. This poses a significant risk if application developers pass unsanitized variables to the template engine and these variables are then utilized in sandboxed areas within the templates. Successful exploitation can lead to arbitrary code execution on the server. All users of affected versions are strongly advised to upgrade to version 3.1.5.RELEASE as soon as possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of Thymeleaf (\u0026lt;= 3.1.4.RELEASE).\u003c/li\u003e\n\u003cli\u003eThe attacker locates a template within the application that uses Thymeleaf\u0026rsquo;s expression evaluation within a sandboxed context.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an input field or parameter that passes data to the Thymeleaf template engine.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a Thymeleaf expression designed to bypass the sandbox restrictions. This payload may utilize specific syntax patterns not properly neutralized by the vulnerable Thymeleaf version.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted payload into the identified input field.\u003c/li\u003e\n\u003cli\u003eThe application processes the attacker-controlled input via the Thymeleaf template engine.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the malicious Thymeleaf expression is executed despite the intended sandboxing.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, potentially gaining full control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41901 can lead to complete system compromise. An attacker could potentially execute arbitrary code, install malware, steal sensitive data, or disrupt application services. The vulnerability affects any application using Thymeleaf versions up to 3.1.4.RELEASE, potentially impacting numerous organizations across various sectors. The lack of proper input sanitization is the root cause, which can be difficult to identify and mitigate without patching the underlying Thymeleaf library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Thymeleaf to version 3.1.5.RELEASE or later to patch CVE-2026-41901.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, review and sanitize all data passed to the Thymeleaf template engine to prevent the injection of malicious expressions. However, this workaround is not a complete solution and upgrading is strongly recommended.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Thymeleaf Template Injection Attempts\u0026rdquo; to identify potential exploitation attempts in web server logs, focusing on HTTP requests containing suspicious patterns related to Thymeleaf expressions.\u003c/li\u003e\n\u003cli\u003eEnable verbose logging on your web servers to capture detailed information about HTTP requests and responses, which can aid in identifying and investigating potential template injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-thymeleaf-ssti/","summary":"A server-side template injection vulnerability exists in Thymeleaf versions up to 3.1.4.RELEASE due to improper neutralization of specific constructs, allowing the execution of potentially dangerous expressions in sandboxed contexts if unsanitized variables are passed to the template engine.","title":"Thymeleaf Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-thymeleaf-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["liquidjs"],"_cs_severities":["medium"],"_cs_tags":["liquidjs","denial-of-service","template-injection"],"_cs_type":"advisory","_cs_vendors":["liquidjs"],"content_html":"\u003cp\u003eThe liquidjs template engine, in versions prior to 10.25.7, is vulnerable to a denial-of-service (DoS) attack. This vulnerability stems from the improper handling of circular block references within the \u003ccode\u003e{% layout %}\u003c/code\u003e and \u003ccode\u003e{% block %}\u003c/code\u003e tags. When a template contains a nested block with the same name as an outer block, the rendering process enters an infinite recursive loop. This loop rapidly consumes available memory, leading to a \u0026ldquo;JavaScript heap out of memory\u0026rdquo; error and the subsequent crashing of the Node.js process. The vulnerability allows any user capable of submitting a Liquid template to trigger the DoS. This is especially concerning for CMS platforms, email template builders, and multi-tenant SaaS products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Liquid template containing circular block references, specifically nesting a block with the same name inside another block. For example, \u003ccode\u003e{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this crafted template to an application that uses liquidjs for template rendering. This could be a CMS, email template builder, or any platform allowing user-provided Liquid templates.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s liquidjs engine begins rendering the template.\u003c/li\u003e\n\u003cli\u003eDuring the rendering process, the engine encounters the nested block structure.\u003c/li\u003e\n\u003cli\u003eThe engine attempts to resolve the block references, resulting in a recursive call to the same block\u0026rsquo;s render function.\u003c/li\u003e\n\u003cli\u003eThis recursive call creates an infinite loop, as the inner block continuously calls the outer block\u0026rsquo;s render function, and vice versa.\u003c/li\u003e\n\u003cli\u003eThe infinite loop causes uncontrolled memory allocation, rapidly consuming all available system memory (up to ~4GB).\u003c/li\u003e\n\u003cli\u003eThe Node.js process running the liquidjs engine crashes with a \u0026ldquo;FATAL ERROR: JavaScript heap out of memory\u0026rdquo; error, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial of service (DoS). Any application that accepts user-provided or user-influenced Liquid templates can be crashed by a single malicious template. The Node.js process is terminated by the operating system due to memory exhaustion, resulting in complete service disruption. The number of potential victims is large, including CMS platforms, email template builders, multi-tenant SaaS products, and static site generators with untrusted input.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to liquidjs version 10.25.7 or later to patch CVE-2026-41311.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for Liquid templates to prevent the submission of malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js processes for excessive memory consumption, which could indicate a DoS attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LiquidJS Template DoS\u003c/code\u003e to identify potentially malicious templates based on nested block structures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-liquidjs-dos/","summary":"A vulnerability in liquidjs versions prior to 10.25.7 allows for denial of service due to a circular block reference in the layout, causing an infinite recursive loop that exhausts memory and crashes the Node.js process.","title":"liquidjs Denial of Service via Circular Block Reference","url":"https://feed.craftedsignal.io/briefs/2024-01-03-liquidjs-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-41468"}],"_cs_exploited":false,"_cs_products":["Sicuro24 SicuroWeb","AngularJS"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41468","angularjs","template-injection","mitm"],"_cs_type":"advisory","_cs_vendors":["Beghelli"],"content_html":"\u003cp\u003eBeghelli Sicuro24 SicuroWeb is vulnerable due to its inclusion of AngularJS version 1.5.2, which is an end-of-life component with known sandbox escape primitives. This vulnerability, tracked as CVE-2026-41468, can be exploited via template injection present within the SicuroWeb application. When combined, these vulnerabilities allow a network-adjacent attacker to bypass the AngularJS sandbox and achieve arbitrary JavaScript execution within the browser sessions of SicuroWeb operators. The attack is facilitated by plaintext HTTP deployments, where a man-in-the-middle (MITM) attacker can inject the malicious payload without requiring active user interaction. This issue exposes operators to potential session hijacking, DOM manipulation, and persistent browser compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker positions themselves as a Man-in-the-Middle (MITM) on the network.\u003c/li\u003e\n\u003cli\u003eOperator initiates a session with the vulnerable Beghelli Sicuro24 SicuroWeb application over plaintext HTTP.\u003c/li\u003e\n\u003cli\u003eThe MITM attacker intercepts the HTTP traffic between the operator and the SicuroWeb application.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious AngularJS template injection payload into the HTTP response destined for the operator\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe operator\u0026rsquo;s browser processes the injected HTTP response, rendering the malicious AngularJS template.\u003c/li\u003e\n\u003cli\u003eThe injected AngularJS template leverages known sandbox escape primitives present in AngularJS 1.5.2.\u003c/li\u003e\n\u003cli\u003eThe sandbox escape allows the attacker to execute arbitrary JavaScript code within the operator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the arbitrary JavaScript execution to perform actions such as session hijacking, DOM manipulation for credential harvesting, or establishing persistent browser compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41468 can lead to significant compromise of Beghelli Sicuro24 SicuroWeb operator sessions. An attacker can hijack active sessions, steal credentials through DOM manipulation, or establish persistent control over the operator\u0026rsquo;s browser. Due to the lack of specific victim numbers or sector targeting information, the potential scope of damage is difficult to quantify but highly dependent on the privileges associated with compromised operator accounts. A successful attack could enable unauthorized access to sensitive data, system configurations, or control functions managed by the SicuroWeb application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious AngularJS Template Injection\u003c/code\u003e to identify potential exploitation attempts against web applications leveraging AngularJS, focusing on HTTP requests containing suspicious template expressions.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for HTTP traffic to detect potential MITM attacks, focusing on connections to the SicuroWeb application, using the rule \u003ccode\u003eDetect Plaintext HTTP Traffic\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade Beghelli Sicuro24 SicuroWeb to a version that no longer utilizes AngularJS 1.5.2 or implement a robust Content Security Policy (CSP) to mitigate the impact of potential template injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-beghelli-sicuro24-angularjs/","summary":"Beghelli Sicuro24 SicuroWeb is vulnerable to arbitrary JavaScript execution due to embedding an end-of-life AngularJS 1.5.2 component with known sandbox escape primitives combined with template injection, enabling attackers to compromise operator browser sessions via MITM attacks.","title":"Beghelli Sicuro24 SicuroWeb AngularJS Sandbox Escape via Template Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-beghelli-sicuro24-angularjs/"}],"language":"en","title":"CraftedSignal Threat Feed — Template-Injection","version":"https://jsonfeed.org/version/1.1"}