目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1310 CNY

100%
コーヒーを一杯おごる

CWE-1336 类漏洞列表 129

CWE-1336 类弱点 129 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1336 指模板引擎未正确中和外部输入中的特殊元素,导致攻击者注入恶意模板表达式。攻击者利用此漏洞执行任意代码或窃取敏感数据,常通过构造包含特殊语法的输入绕过过滤。开发者应避免直接拼接用户输入,改用安全的参数化绑定机制,并严格限制模板引擎的功能权限,确保仅允许预期的变量替换,从而从根源上消除注入风险。

MITRE CWE 官方描述
CWE:CWE-1336 模板引擎中特殊元素的不当中和 英文:该产品使用模板引擎来插入或处理受外部影响的输入,但它没有中和或不正确地中和了特殊元素或语法,这些元素或语法在由引擎处理时可能被解释为模板表达式或其他代码指令。 许多 Web 应用程序使用模板引擎,允许开发人员将受外部影响的值插入到自由文本或消息中,以生成完整的 Web 页面、文档、消息等。此类引擎包括 Twig、Jinja2、Pug、Java Server Pages、FreeMarker、Velocity、ColdFusion、Smarty 以及许多其他引擎——包括 PHP 本身。一些 CMS(Content Management Systems,内容管理系统)也使用模板。模板引擎通常具有自己的自定义命令或表达式语言。如果攻击者能够在模板处理之前影响输入,那么攻击者可以调用任意表达式,即执行注入攻击。例如,在某些模板语言中,攻击者可以注入表达式 "{{7*7}}" 并确定输出是否返回 "49" 而不是其他值。语法因语言而异。在某些情况下,XSS-style(跨站脚本风格)攻击可能有效,如果开发人员不仔细调查错误的根本原因,这可能会掩盖根本原因。模板引擎可以在服务器端或客户端使用,因此“两侧”都可能受到注入的影响。攻击机制或受影响的技术可能不同,但错误本质上是相同的。
常见影响 (1)
IntegrityExecute Unauthorized Code or Commands
缓解措施 (2)
Architecture and DesignChoose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
ImplementationUse the template engine's sandbox or restricted mode, if available.
CVE IDタイトルCVSS深刻度公開日
CVE-2026-34906 Server-Side Template Injection (SSTI) in Wirtualna Uczelnia — Wirtualna Uczelnia--2026-06-02
CVE-2026-42252 Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern — Apache Airflow--2026-06-01
CVE-2026-49382 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 4.5 Medium2026-05-29
CVE-2026-45312 RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution — ragflow 9.9 Critical2026-05-29
CVE-2026-9558 Mautic 安全漏洞 9.9 Critical2026-05-29
CVE-2026-44209 Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI — banks 7.5 High2026-05-26
CVE-2026-9498 Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in a template engine — lamp-cloud 6.3 Medium2026-05-25
CVE-2025-40900 Angular template injection in Reports in Guardian/CMC before 26.1.0 — Guardian 4.6 Medium2026-05-19
CVE-2026-29207 Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component — Apache OFBiz--2026-05-19
CVE-2026-8740 Sanluan PublicCMS templateResult API TemplateResultDirective.java execute special elements used in a template engine — PublicCMS 6.3 Medium2026-05-17
CVE-2026-41713 Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor — Spring AI 8.2 High2026-05-12
CVE-2026-44129 Server-side template injection — Secure Email Gateway 9.8AICriticalAI2026-05-08
CVE-2026-44916 OpenStack Ironic 安全漏洞 — Ironic 3.0 Low2026-05-08
CVE-2026-42203 LiteLLM: Server-Side Template Injection in /prompts/test endpoint — litellm 9.6AICriticalAI2026-05-08
CVE-2026-6984 AstrBotDevs AstrBot Dashboard API t2i.py create_template special elements used in a template engine — AstrBot 4.7 Medium2026-04-25
CVE-2026-34587 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering — kirby 6.5AIMediumAI2026-04-24
CVE-2026-40320 Giskard has an Unsandboxed Jinja2 Template Rendering in ConformityCheck — giskard-oss 8.8AIHighAI2026-04-17
CVE-2026-33392 JetBrains YouTrack 安全漏洞 — YouTrack 7.2 High2026-04-17
CVE-2026-5987 Sanluan PublicCMS FreeMarker Template AbstractFreemarkerView.java AbstractFreemarkerView.doRender special elements used in a template engine — PublicCMS 4.7 Medium2026-04-09
CVE-2026-40087 LangChain has incomplete f-string validation in prompt templates — langchain 5.3 Medium2026-04-09
CVE-2026-39980 OpenCTI affected by RCE via notifier template — opencti 9.1 Critical2026-04-09
CVE-2026-35477 InvenTree has SSTI in PART_NAME_FORMAT bypasses CVE-2026-27629 fix via {% if part.pk %} sandbox escape — InvenTree 5.5 Medium2026-04-08
CVE-2026-35044 BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation — BentoML 8.8 High2026-04-06
CVE-2026-5559 AntaresMugisho PyBlade AST Validation sandbox.py _is_safe_ast special elements used in a template engine — PyBlade 6.3 Medium2026-04-05
CVE-2026-34202 Zebra node crash — V5 transaction hash panic (P2P reachable) — zebra 7.5AIHighAI2026-03-31
CVE-2026-34172 Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment — giskard-oss 9.8 -2026-03-31
CVE-2026-28228 OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution — OpenOLAT 8.8 High2026-03-30
CVE-2026-33897 Incus vulnerable to arbitrary file read and write through pongo templates — incus 10.0 Critical2026-03-26
CVE-2026-33154 dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver — dynaconf 7.5 High2026-03-20
CVE-2026-32261 RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin — webhooks 7.5AIHighAI2026-03-16

CWE-1336 是常见的弱点类别,本平台收录该类弱点关联的 129 条 CVE 漏洞。