CVE-2026-44209

Published: Mag 26, 2026 Last Modified: Mag 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,5

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This vulnerability is fixed in 2.4.2.

1336

Improper Neutralization of Special Elements Used in a Template Engine

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity

Potential Impacts:

Execute Unauthorized Code Or Commands

Applicable Platforms

Languages: Java, PHP, Python, JavaScript, Interpreted

Technologies: Not Technology-Specific, AI/ML, Client Server

View CWE Details

https://github.com/masci/banks/pull/74

https://github.com/masci/banks/security/advisories/GHSA-gph…

https://github.com/masci/banks/security/advisories/GHSA-gphh-9q3h-jgpp

CVE-2026-44209

Description

Improper Neutralization of Special Elements Used in a Template Engine

Common Consequences

Applicable Platforms

Iscriviti alla newsletter