ssti
Safeguard articles tagged "ssti" — guides, analysis, and best practices for software supply chain and application security.
7 articles
Code injection risks in CLI tools and IDE plugins
A malicious npm dependency hid in event-stream for 8M downloads before detection. Developer tooling is a code-injection blast radius most teams never audit.
Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox
CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.
What Is SSTI (Server-Side Template Injection)?
SSTI happens when user input is compiled as template code instead of rendered as data, often leading straight to remote code execution. Here is how to prevent it.
What is Server-Side Template Injection (SSTI)
SSTI lets attackers turn untrusted input into executable template code, often leading to full remote code execution — here's how it works and how to stop it.
Server-side template injection (SSTI) explained
SSTI lets attackers turn template syntax into server-side RCE. See how it works, real CVEs like Confluence's, and how to prevent it.
Template Injection (SSTI) Prevention Guide
Server-Side Template Injection turns template engines into code execution engines. This guide covers SSTI in Jinja2, Twig, Freemarker, and other engines, with detection techniques and layered defenses.
VMware Workspace ONE CVE-2022-22954: Server-Side Template Injection Goes Enterprise
CVE-2022-22954 in VMware Workspace ONE Access allowed unauthenticated RCE via server-side template injection. Attackers used it to deploy cryptominers and backdoors.