[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2019-8341":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":62,"aliases":77,"duplicate_of":9,"upstream":78,"downstream":79,"duplicates":94,"related":95,"reserved_at":9,"published_at":101,"modified_at":102,"state":103,"summary":104,"references_raw":112,"kevs":149,"epss":150,"epss_history":153,"metrics":393,"affected":402},"CVE-2019-8341","An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-94","Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.","weakness","Draft","Base","Medium",[20,24,58],{"id":21,"name":22,"techniques":23},"CAPEC-242","Code Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[28,39,46],{"id":29,"name":30,"tactics":31,"countermeasures":38},"T1027.006","HTML Smuggling",[32,35],{"id":33,"name":34},"TA0030","Defense Evasion",{"id":36,"name":37},"TA0005","Stealth",[],{"id":40,"name":41,"tactics":42,"countermeasures":45},"T1027.009","Embedded Payloads",[43,44],{"id":33,"name":34},{"id":36,"name":37},[],{"id":47,"name":48,"tactics":49,"countermeasures":52},"T1564.009","Resource Forking",[50,51],{"id":33,"name":34},{"id":36,"name":37},[53],{"id":54,"name":55,"tactic":56},"D3-FFV","File Format Verification",{"name":57},"Isolate",{"id":59,"name":60,"techniques":61},"CAPEC-77","Manipulating User-Controlled Variables",[],[63],{"_key":64,"name":65,"source":66,"url":67,"maturity":68,"reliability_score":69,"verified":70,"type":9,"platforms":71,"requires_auth":9,"exploitdb":73,"metasploit":9},"46386","Jinja2 2.10 - 'from_string' Server Side Template Injection","exploit-database","https://www.exploit-db.com/exploits/46386","poc",0.5,false,[72],"python",{"verified":70,"type":74,"platform":72,"file":75,"codes":76},"webapps","exploits/python/webapps/46386.py",[7],[],[],[80,82,84,86,88,90,92],{"_key":81},"UBUNTU-CVE-2019-8341",{"_key":83},"SUSE-SU-2019:1156-1",{"_key":85},"SUSE-SU-2019:1554-1",{"_key":87},"SUSE-SU-2020:3096-1",{"_key":89},"SUSE-SU-2020:3897-1",{"_key":91},"OPENSUSE-SU-2019:1395-1",{"_key":93},"DEBIAN-CVE-2019-8341",[],[96,97,98,99,100],{"_key":83},{"_key":85},{"_key":87},{"_key":89},{"_key":91},"2019-02-15T07:00:00.000Z","2024-08-04T21:17:30.550Z","Modified",{"cisa_kev":70,"cisa_ransomware":70,"cisa_vendor":9,"epss_severity":105,"epss_score":106,"severity":107,"severity_score":108,"severity_version":109,"severity_source":110,"severity_vector":111,"severity_status":103},"high",0.25411,"critical",9.8,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[113,120,128,135,139,144],{"url":114,"sources":115,"tags":117},"https://github.com/JameelNabbo/Jinja2-Code-execution",[116,110],"cve.org",[118,119],"X Refsource MISC","Broken Link",{"url":121,"sources":122,"tags":123},"https://www.exploit-db.com/exploits/46386/",[116,110],[124,125,126,127],"Exploit","X Refsource EXPLOIT DB","Third Party Advisory","VDB Entry",{"url":129,"sources":130,"tags":131},"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html",[116,110],[132,133,134,126],"Vendor Advisory","X Refsource SUSE","Mailing List",{"url":136,"sources":137,"tags":138},"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html",[116,110],[132,133,134,126],{"url":140,"sources":141,"tags":142},"https://bugzilla.redhat.com/show_bug.cgi?id=1677653",[116,110],[118,143,126],"Issue Tracking",{"url":145,"sources":146,"tags":147},"https://bugzilla.suse.com/show_bug.cgi?id=1125815",[116,110],[148,143,126],"X Refsource CONFIRM",[],{"date":151,"score":106,"percentile":152},"2026-06-04",0.96317,[154,158,161,164,167,170,172,174,176,179,183,187,190,192,195,199,202,204,207,209,213,216,219,222,225,227,230,232,236,239,242,245,248,251,254,256,259,262,265,267,270,273,276,278,280,283,285,288,290,292,294,296,299,301,304,307,310,312,315,318,320,322,325,328,331,333,335,338,341,344,346,348,351,354,357,359,361,363,365,367,369,372,375,378,380,382,384,386,389,391],{"date":155,"score":156,"percentile":157},"2025-11-04",0.22008,0.95535,{"date":159,"score":156,"percentile":160},"2025-11-05",0.95534,{"date":162,"score":156,"percentile":163},"2025-11-06",0.95537,{"date":165,"score":156,"percentile":166},"2025-11-07",0.95538,{"date":168,"score":156,"percentile":169},"2025-11-08",0.95536,{"date":171,"score":156,"percentile":157},"2025-11-09",{"date":173,"score":156,"percentile":169},"2025-11-10",{"date":175,"score":156,"percentile":163},"2025-11-11",{"date":177,"score":156,"percentile":178},"2025-11-12",0.9554,{"date":180,"score":181,"percentile":182},"2025-11-13",0.27837,0.96243,{"date":184,"score":185,"percentile":186},"2025-11-14",0.3636,0.96928,{"date":188,"score":185,"percentile":189},"2025-11-15",0.96926,{"date":191,"score":185,"percentile":189},"2025-11-16",{"date":193,"score":185,"percentile":194},"2025-11-17",0.96927,{"date":196,"score":197,"percentile":198},"2025-11-18",0.69391,0.98684,{"date":200,"score":197,"percentile":201},"2025-11-19",0.98685,{"date":203,"score":197,"percentile":201},"2025-11-20",{"date":205,"score":185,"percentile":206},"2025-11-21",0.96929,{"date":208,"score":185,"percentile":194},"2025-11-22",{"date":210,"score":211,"percentile":212},"2025-11-23",0.37804,0.97025,{"date":214,"score":211,"percentile":215},"2025-11-24",0.97027,{"date":217,"score":211,"percentile":218},"2025-11-25",0.97028,{"date":220,"score":211,"percentile":221},"2025-11-26",0.97029,{"date":223,"score":211,"percentile":224},"2025-11-27",0.97031,{"date":226,"score":211,"percentile":224},"2025-11-28",{"date":228,"score":211,"percentile":229},"2025-11-29",0.9703,{"date":231,"score":211,"percentile":218},"2025-11-30",{"date":233,"score":234,"percentile":235},"2025-12-01",0.37397,0.9702,{"date":237,"score":234,"percentile":238},"2025-12-02",0.97021,{"date":240,"score":234,"percentile":241},"2025-12-03",0.97022,{"date":243,"score":234,"percentile":244},"2025-12-04",0.97001,{"date":246,"score":234,"percentile":247},"2025-12-05",0.97002,{"date":249,"score":234,"percentile":250},"2025-12-06",0.97003,{"date":252,"score":234,"percentile":253},"2025-12-07",0.97004,{"date":255,"score":234,"percentile":253},"2025-12-08",{"date":257,"score":234,"percentile":258},"2025-12-09",0.97006,{"date":260,"score":234,"percentile":261},"2025-12-10",0.97012,{"date":263,"score":234,"percentile":264},"2025-12-11",0.97014,{"date":266,"score":234,"percentile":264},"2025-12-12",{"date":268,"score":234,"percentile":269},"2025-12-13",0.97018,{"date":271,"score":234,"percentile":272},"2025-12-14",0.97013,{"date":274,"score":234,"percentile":275},"2025-12-15",0.97015,{"date":277,"score":234,"percentile":269},"2025-12-16",{"date":279,"score":234,"percentile":238},"2025-12-17",{"date":281,"score":234,"percentile":282},"2025-12-18",0.97023,{"date":284,"score":234,"percentile":282},"2025-12-19",{"date":286,"score":234,"percentile":287},"2025-12-20",0.97024,{"date":289,"score":234,"percentile":282},"2025-12-21",{"date":291,"score":234,"percentile":282},"2025-12-22",{"date":293,"score":234,"percentile":287},"2025-12-23",{"date":295,"score":234,"percentile":218},"2025-12-24",{"date":297,"score":234,"percentile":298},"2025-12-25",0.97032,{"date":300,"score":234,"percentile":298},"2025-12-26",{"date":302,"score":234,"percentile":303},"2025-12-27",0.97058,{"date":305,"score":234,"percentile":306},"2025-12-28",0.97034,{"date":308,"score":234,"percentile":309},"2025-12-29",0.97035,{"date":311,"score":234,"percentile":309},"2025-12-30",{"date":313,"score":234,"percentile":314},"2025-12-31",0.97039,{"date":316,"score":234,"percentile":317},"2026-01-01",0.97065,{"date":319,"score":234,"percentile":317},"2026-01-02",{"date":321,"score":234,"percentile":317},"2026-01-03",{"date":323,"score":234,"percentile":324},"2026-01-04",0.9704,{"date":326,"score":234,"percentile":327},"2026-01-05",0.97041,{"date":329,"score":234,"percentile":330},"2026-01-06",0.97042,{"date":332,"score":234,"percentile":330},"2026-01-07",{"date":334,"score":234,"percentile":330},"2026-01-08",{"date":336,"score":234,"percentile":337},"2026-01-09",0.97044,{"date":339,"score":234,"percentile":340},"2026-01-10",0.97046,{"date":342,"score":234,"percentile":343},"2026-01-11",0.97045,{"date":345,"score":234,"percentile":343},"2026-01-12",{"date":347,"score":234,"percentile":340},"2026-01-13",{"date":349,"score":234,"percentile":350},"2026-01-14",0.97049,{"date":352,"score":234,"percentile":353},"2026-01-15",0.9705,{"date":355,"score":356,"percentile":247},"2026-01-16",0.36588,{"date":358,"score":356,"percentile":250},"2026-01-17",{"date":360,"score":356,"percentile":247},"2026-01-18",{"date":362,"score":356,"percentile":247},"2026-01-19",{"date":364,"score":356,"percentile":253},"2026-01-20",{"date":366,"score":356,"percentile":253},"2026-01-21",{"date":368,"score":356,"percentile":258},"2026-01-22",{"date":370,"score":356,"percentile":371},"2026-01-23",0.97009,{"date":373,"score":356,"percentile":374},"2026-01-24",0.9701,{"date":376,"score":356,"percentile":377},"2026-01-25",0.97011,{"date":379,"score":356,"percentile":272},"2026-01-26",{"date":381,"score":356,"percentile":261},"2026-01-27",{"date":383,"score":356,"percentile":264},"2026-01-28",{"date":385,"score":356,"percentile":275},"2026-01-29",{"date":387,"score":356,"percentile":388},"2026-01-30",0.97016,{"date":390,"score":356,"percentile":388},"2026-01-31",{"date":392,"score":356,"percentile":324},"2026-02-01",[394],{"source":110,"cvss_v2_0":395,"cvss_v3_0":9,"cvss_v3_1":400,"cvss_v4_0":9},{"baseScore":396,"baseSeverity":9,"vectorString":397,"impactScore":398,"exploitabilityScore":399},7.5,"AV:N/AC:L/Au:N/C:P/I:P/A:P",6.4,10,{"baseScore":108,"baseSeverity":401,"vectorString":111,"impactScore":108,"exploitabilityScore":399},"CRITICAL",[403,413],{"ecosystem":9,"name":404,"vendor":405,"product":404,"cpe_part":406,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":407},"leap","opensuse","o",[408,411],{"version":409,"is_range":70,"range_type":410,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"15.0","cpe",{"version":412,"is_range":70,"range_type":410,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"42.3",{"ecosystem":9,"name":414,"vendor":415,"product":414,"cpe_part":416,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":417},"jinja2","pocoo","a",[418],{"version":419,"is_range":70,"range_type":410,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"2.10"]