Safeguard
Tag

template-injection

Safeguard articles tagged "template-injection" — guides, analysis, and best practices for software supply chain and application security.

6 articles

Application Security

CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole

A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.

Jul 7, 20266 min read
Vulnerability Guides

What Is SSTI (Server-Side Template Injection)?

SSTI happens when user input is compiled as template code instead of rendered as data, often leading straight to remote code execution. Here is how to prevent it.

Jul 2, 20265 min read
Vulnerability Analysis

underscore.js template code injection (CVE-2021-23358)

CVE-2021-23358 lets attacker-controlled template settings inject arbitrary code via underscore.js's _.template function. Here's the impact, fix, and remediation steps.

Jan 5, 20267 min read
Vulnerability Analysis

EJS template engine RCE via client option (CVE-2022-29078)

CVE-2022-29078 lets attackers achieve remote code execution in EJS via unsanitized render options. Affected versions, severity, and fixes inside.

Jan 5, 20267 min read
Vulnerability Analysis

ServiceNow CVE-2024-4879: Remote Code Execution via Jelly Template Injection

Critical RCE vulnerabilities in ServiceNow were chained together for unauthenticated access, with active exploitation observed within days of disclosure.

Jul 10, 20246 min read
Application Security

Template Injection (SSTI) Prevention Guide

Server-Side Template Injection turns template engines into code execution engines. This guide covers SSTI in Jinja2, Twig, Freemarker, and other engines, with detection techniques and layered defenses.

Aug 5, 20235 min read
template-injection — Safeguard Blog