CWE-1336: CWE-1336
Yearly Trend
Top Affected Vendors
All CWE-1336 CVEs (60)
This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on Invision Community installations by sending crafted templa...
May 16, 2025CVE-2025-46661 is an unauthenticated remote code execution vulnerability in IPW Systems Metazo through version 8.1.3. Attackers can exploit Server-Sid...
Apr 28, 2025This vulnerability in GitLab AI Gateway allows attackers to execute arbitrary code or cause denial of service through insecure template expansion in D...
Feb 9, 2026This critical vulnerability in Crafty Controller's Webhook Template component allows authenticated attackers to execute arbitrary code on the server t...
Dec 17, 2025CVE-2025-32461 is a critical remote code execution vulnerability in Tiki Wiki CMS where the wikiplugin_includetpl plugin improperly handles input pass...
Apr 9, 2025The Dynamics 365 Integration plugin for WordPress has a Server-Side Template Injection vulnerability in Twig rendering that allows authenticated attac...
Jan 4, 2025This CVE describes a Server Side Include (SSI) injection vulnerability in the WordPress Event Tickets with Ticket Scanner plugin. Attackers can inject...
Nov 18, 2024The WPML WordPress plugin has a critical Server-Side Template Injection vulnerability that allows authenticated attackers with Contributor-level acces...
Aug 21, 2024A critical path traversal and extension bypass vulnerability in Flask-Reuploaded versions before 1.5.0 allows remote attackers to write arbitrary file...
Feb 25, 2026CVE-2026-25526 is a critical vulnerability in JinJava template engine that allows attackers to bypass sandbox restrictions and execute arbitrary Java ...
Feb 4, 2026A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport allows attackers to execute arbitrary code ...
Jan 20, 2026Bagisto eCommerce platforms running versions before 2.3.10 are vulnerable to server-side template injection via the type parameter. This allows attack...
Jan 2, 2026Bagisto eCommerce platform versions before 2.3.10 are vulnerable to server-side template injection that can lead to remote code execution. When custom...
Jan 2, 2026CVE-2022-23851 is a server-side template injection vulnerability in Netaxis API Orchestrator (APIO) that allows attackers to execute arbitrary code on...
Dec 17, 2025CVE-2025-60355 is a critical Server-Side Template Injection (SSTI) vulnerability in zhangyd-c OneBlog that allows attackers to execute arbitrary code ...
Oct 28, 2025CVE-2025-59340 is a critical deserialization vulnerability in jinjava that allows attackers to bypass sandbox restrictions and instantiate arbitrary J...
Sep 17, 2025This CVE describes a Server-Side Template Injection (SSTI) vulnerability in SiYuan's Sprig template engine that allows attackers to access environment...
Dec 12, 2024CVE-2024-4040 is a critical server-side template injection vulnerability in CrushFTP that allows unauthenticated attackers to read files outside the s...
Apr 22, 2024This vulnerability allows remote attackers to execute arbitrary code on Gibbon systems through server-side template injection in the messengerSettings...
Apr 3, 2024This CVE describes a template injection vulnerability in Elastic Cloud Enterprise (ECE) where Jinjava template variables are improperly neutralized. A...
Oct 13, 2025This vulnerability allows remote attackers to execute arbitrary commands on WordPress sites running the vulnerable Contact Form by Supsystic plugin. A...
Oct 16, 2024This CVE describes a Server-Side Template Injection vulnerability in Fides privacy platform's Email Templating feature. It allows privileged users (Ow...
Sep 4, 2024This vulnerability allows authenticated admin users in Adobe Commerce to execute arbitrary code through improper template engine neutralization. It af...
Jun 15, 2023This vulnerability allows authenticated Frappe users with specific permissions to be tricked into clicking malicious links that execute arbitrary code...
Dec 29, 2025A Server-Side Template Injection vulnerability in Amidaware Tactical RMM allows low-privileged users with Report Viewer or Report Manager permissions ...
Jan 29, 2026This vulnerability allows authenticated remote code execution in Craft CMS via Twig Server-Side Template Injection. Attackers with administrator acces...
Jan 5, 2026Bagisto eCommerce platform versions before 2.3.10 are vulnerable to server-side template injection (SSTI) through first name and last name fields. Thi...
Jan 2, 2026This vulnerability allows authenticated users with admin panel access in Grav CMS to escalate privileges to full admin or execute arbitrary system com...
Dec 1, 2025This vulnerability in the Advanced Views WordPress plugin allows authenticated attackers with author-level access or higher to execute arbitrary PHP c...
Sep 23, 2025AutoGPT versions 0.3.4 and earlier contain a Server-Side Template Injection vulnerability that allows attackers to execute arbitrary code on the host ...
Mar 20, 2025CVE-2025-27516 is a sandbox escape vulnerability in Jinja templating engine that allows attackers who control template content to execute arbitrary Py...
Mar 5, 2025This Client-side Template Injection vulnerability in Webkul Krayin CRM allows attackers to inject malicious template code during lead creation, which ...
Sep 27, 2024This vulnerability in the mustache.php template engine allows attackers to execute arbitrary code by injecting malicious templates. It affects any PHP...
Jan 21, 2022This CVE describes a remote code execution vulnerability in Crocoblock JetEngine WordPress plugin where improper template engine sanitization allows a...
Aug 20, 2025Skyvern versions through 0.1.85 have a server-side template injection vulnerability in workflow block prompt fields. Authenticated attackers can injec...
Jun 7, 2025This vulnerability allows authenticated remote attackers to execute arbitrary code on Airbyte servers via Server-Side Template Injection (SSTI) in the...
Jul 9, 2024This critical vulnerability allows attackers with admin privileges to inject and execute arbitrary template code in server-side templates due to a vul...
Feb 19, 2026This Server-Side Template Injection vulnerability in Mintlify's MDX Rendering Engine allows attackers to execute arbitrary code by injecting malicious...
Dec 19, 2025Shopware's sw_silent_feature_call Twig tag has improper input escaping, allowing code execution through the feature flag name parameter. This affects ...
Aug 8, 2024A Server-Side Template Injection vulnerability in Calibre's Templite engine allows arbitrary code execution when converting ebooks using malicious cus...
Feb 6, 2026This CVE describes a Server-Side Template (SST) vulnerability in Grav CMS that allows attackers to extract sensitive configuration details through spe...
Dec 1, 2025This CVE describes a Server-Side Template Injection (SSTI) vulnerability in the Relate Learning and Teaching System that allows remote attackers to ex...
Apr 26, 2024OpenMetadata versions before 1.11.4 contain a Server-Side Template Injection vulnerability in FreeMarker email templates that allows remote code execu...
Jan 8, 2026This CVE describes a remote code execution vulnerability in Craft CMS via Twig Server-Side Template Injection (SSTI). Attackers can execute arbitrary ...
Aug 25, 2025This CVE describes a server-side template injection (SSTI) vulnerability in Craft CMS that could allow remote code execution. The vulnerability requir...
May 5, 2025CVE-2024-37301 is a server-side template injection vulnerability in Document Merge Service versions 6.5.1 and prior that allows remote code execution....
Jun 11, 2024This vulnerability allows remote code execution (RCE) through template injection in SQLPad's connection test endpoint. Attackers can execute arbitrary...
Mar 15, 2022This vulnerability in Nautobot allows malicious users to exploit Jinja2 templating features to expose secret values or modify data without proper perm...
Jun 10, 2025Wiki.js versions before 2.5.303 contain a client-side template injection vulnerability that allows attackers to inject malicious JavaScript into page ...
May 20, 2024This CVE describes a template injection vulnerability in Ansible where unsafe template data can be executed, potentially allowing attackers to run arb...
Dec 12, 2023About CWE-1336 (CWE-1336)
Our database tracks 60 CVEs classified as CWE-1336, with 24 rated critical and 27 rated high severity. The average CVSS score for CWE-1336 vulnerabilities is 8.4.
External reference: View CWE-1336 on MITRE CWE →
Monitor CWE-1336 Vulnerabilities
Get alerted when new CWE-1336 CVEs affect your infrastructure.
Start Monitoring Free