Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
jinja vulnerabilities and exploits
(subscribe to this query)
445
VMScore
CVE-2016-10745
In Pallets Jinja prior to 2.8.1, str.format allows a sandbox escape.
Palletsprojects Jinja
1 Github repository
NA
CVE-2024-22195
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` f...
Palletsprojects Jinja
1 Github repository
445
VMScore
CVE-2020-28493
This affects the package jinja2 from 0.0.0 and prior to 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mi...
Palletsprojects Jinja
Fedoraproject Fedora 33
1 Github repository
446
VMScore
CVE-2019-10906
In Pallets Jinja prior to 2.10.1, str.format_map allows a sandbox escape.
Palletsprojects Jinja
Fedoraproject Fedora 28
Fedoraproject Fedora 29
Fedoraproject Fedora 30
Canonical Ubuntu Linux 18.04
Canonical Ubuntu Linux 18.10
Canonical Ubuntu Linux 19.04
Canonical Ubuntu Linux 14.04
Canonical Ubuntu Linux 16.04
Canonical Ubuntu Linux 12.04
Redhat Software Collections 1.0
Opensuse Leap 42.3
Opensuse Leap 15.0
2 Github repositories
NA
CVE-2022-45132
In Linaro Automated Validation Architecture (LAVA) prior to 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can b...
Linaro Lava
NA
CVE-2023-49736
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: prior to 2.1.2, from 3.0.0 prior to 3.0.2. Users are recommended to upgrade to version 3....
Apache Superset
NA
CVE-2024-34064
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an...
801
VMScore
CVE-2021-44657
In StackStorm versions before 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.
Stackstorm Stackstorm
NA
CVE-2023-49950
The Jinja templating in Logpoint SIEM 6.10.0 up to and including 7.x prior to 7.3.0 does not correctly sanitize log data being displayed when using a custom Jinja template in the Alert view. A remote attacker can craft a cross-site scripting (XSS) payload and send it to any syste...
Logpoint Siem
383
VMScore
CVE-2015-5215
The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 prior to 1.0.1 does not enable auto-escaping, which makes it easier for remote malicious users to conduct cross-site scripting (XSS) attacks via template variables...
Ipsilon-project Ipsilon
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »