template-injection
Safeguard articles tagged "template-injection" — guides, analysis, and best practices for software supply chain and application security.
6 articles
CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole
A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.
What Is SSTI (Server-Side Template Injection)?
SSTI happens when user input is compiled as template code instead of rendered as data, often leading straight to remote code execution. Here is how to prevent it.
underscore.js template code injection (CVE-2021-23358)
CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.
EJS template engine RCE via client option (CVE-2022-29078)
CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.
ServiceNow CVE-2024-4879: Remote Code Execution via Jelly Template Injection
Critical RCE vulnerabilities in ServiceNow were chained together for unauthenticated access, with active exploitation observed within days of disclosure.
Template Injection (SSTI) Prevention Guide
Server-Side Template Injection turns template engines into code execution engines. This guide covers SSTI in Jinja2, Twig, Freemarker, and other engines, with detection techniques and layered defenses.