[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2025-27516":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T14:55:33.319Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":19,"aliases":20,"duplicate_of":9,"upstream":22,"downstream":23,"duplicates":80,"related":81,"reserved_at":9,"published_at":122,"modified_at":123,"state":124,"summary":125,"references_raw":134,"kevs":170,"epss":171,"epss_history":174,"metrics":451,"affected":466},"CVE-2025-27516","Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-1336","Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.","weakness","Incomplete","Base",[],[],[21],"GHSA-cpwx-vrp4-4pq7",[],[24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78],{"_key":25},"ALPINE-CVE-2025-27516",{"_key":27},"SUSE-SU-2025:1004-1",{"_key":29},"UBUNTU-CVE-2025-27516",{"_key":31},"SUSE-SU-2025:0956-1",{"_key":33},"DLA-4126-1",{"_key":35},"SUSE-SU-2025:1004-2",{"_key":37},"SUSE-SU-2025:20156-1",{"_key":39},"SUSE-SU-2025:20254-1",{"_key":41},"MGASA-2025-0094",{"_key":43},"DEBIAN-CVE-2025-27516",{"_key":45},"USN-7343-1",{"_key":47},"RHSA-2025:2688",{"_key":49},"RHSA-2025:3017",{"_key":51},"RHSA-2025:3111",{"_key":53},"RHSA-2025:3113",{"_key":55},"RHSA-2025:3123",{"_key":57},"RHSA-2025:3160",{"_key":59},"RHSA-2025:3371",{"_key":61},"RHSA-2025:3388",{"_key":63},"RHSA-2025:3406",{"_key":65},"RHSA-2025:3562",{"_key":67},"RHSA-2025:3580",{"_key":69},"RHSA-2025:3585",{"_key":71},"RHSA-2025:3586",{"_key":73},"RHSA-2025:3588",{"_key":75},"RHSA-2025:3622",{"_key":77},"RHSA-2025:3671",{"_key":79},"RHSA-2025:7476",[],[82,83,84,85,86,87,88,90,92,94,96,98,100,102,104,106,108,110,112,114,116,118,120],{"_key":27},{"_key":31},{"_key":35},{"_key":37},{"_key":39},{"_key":41},{"_key":89},"CGA-2H34-36GR-7WJW",{"_key":91},"CGA-3WHM-XMCR-46QF",{"_key":93},"CGA-3X3W-QQ6C-VP29",{"_key":95},"CGA-54Q9-CVJW-RR77",{"_key":97},"CGA-7VQX-6V2V-7GXR",{"_key":99},"CGA-8FG5-VXMW-77P6",{"_key":101},"CGA-8GFH-2MJ5-27QQ",{"_key":103},"CGA-CH38-HM3P-VQFX",{"_key":105},"CGA-HW4R-MXQV-7JJ9",{"_key":107},"CGA-M6WH-C9M7-3G8V",{"_key":109},"CGA-MCP3-399F-P32W",{"_key":111},"CGA-P346-MCCF-RP28",{"_key":113},"CGA-PXMX-R998-7P4J",{"_key":115},"CGA-Q74H-CFPR-QVCV",{"_key":117},"CGA-RC3C-CV49-W8JW",{"_key":119},"CGA-V9X5-9F3J-VH44",{"_key":121},"CGA-XX5R-CXH4-797P","2025-03-05T20:40:06.568Z","2026-02-26T19:09:45.280Z","Modified",{"cisa_kev":126,"cisa_ransomware":126,"cisa_vendor":9,"epss_severity":127,"epss_score":128,"severity":129,"severity_score":130,"severity_version":131,"severity_source":132,"severity_vector":133,"severity_status":124},false,"low",0.00121,"high",8.8,"v3.1","nvd","CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",[135,144,150,156,160,165],{"url":136,"sources":137,"tags":140},"https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7",[138,132,139],"cve.org","osv_pypi",[141,142,143],"X Refsource CONFIRM","Vendor Advisory","WEB",{"url":145,"sources":146,"tags":147},"https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403",[138,132,139],[148,149,143],"X Refsource MISC","Patch",{"url":151,"sources":152,"tags":153},"https://lists.debian.org/debian-lts-announce/2025/04/msg00045.html",[138,132,139],[154,155,143],"Mailing List","Third Party Advisory",{"url":157,"sources":158,"tags":159},"https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html",[138,132,139],[143],{"url":161,"sources":162,"tags":163},"https://nvd.nist.gov/vuln/detail/CVE-2025-27516",[139],[164],"Advisory",{"url":166,"sources":167,"tags":168},"https://github.com/pallets/jinja",[139],[169],"PACKAGE",[],{"date":172,"score":128,"percentile":173},"2026-06-04",0.30683,[175,179,182,185,188,192,195,198,201,204,207,210,213,216,219,223,227,230,234,237,240,244,247,250,253,256,260,263,267,270,273,276,279,282,285,288,291,294,297,300,303,306,309,312,315,318,321,324,327,330,333,336,339,342,346,349,352,355,358,362,365,368,371,374,377,379,382,385,388,391,394,397,400,403,406,408,411,414,417,419,422,425,428,431,434,437,440,443,445,448],{"date":176,"score":177,"percentile":178},"2025-11-04",0.00136,0.34113,{"date":180,"score":177,"percentile":181},"2025-11-05",0.34099,{"date":183,"score":177,"percentile":184},"2025-11-06",0.34101,{"date":186,"score":177,"percentile":187},"2025-11-07",0.34118,{"date":189,"score":190,"percentile":191},"2025-11-08",0.00138,0.34526,{"date":193,"score":190,"percentile":194},"2025-11-09",0.34508,{"date":196,"score":190,"percentile":197},"2025-11-10",0.34457,{"date":199,"score":190,"percentile":200},"2025-11-11",0.34486,{"date":202,"score":190,"percentile":203},"2025-11-12",0.34532,{"date":205,"score":190,"percentile":206},"2025-11-13",0.34549,{"date":208,"score":190,"percentile":209},"2025-11-14",0.34553,{"date":211,"score":190,"percentile":212},"2025-11-15",0.34552,{"date":214,"score":190,"percentile":215},"2025-11-16",0.34525,{"date":217,"score":190,"percentile":218},"2025-11-17",0.345,{"date":220,"score":221,"percentile":222},"2025-11-18",0.00491,0.6294,{"date":224,"score":225,"percentile":226},"2025-11-19",0.00688,0.695,{"date":228,"score":225,"percentile":229},"2025-11-20",0.69507,{"date":231,"score":232,"percentile":233},"2025-11-21",0.00159,0.3727,{"date":235,"score":232,"percentile":236},"2025-11-22",0.37271,{"date":238,"score":232,"percentile":239},"2025-11-23",0.37237,{"date":241,"score":242,"percentile":243},"2025-11-24",0.00194,0.41561,{"date":245,"score":242,"percentile":246},"2025-11-25",0.41576,{"date":248,"score":242,"percentile":249},"2025-11-26",0.41571,{"date":251,"score":242,"percentile":252},"2025-11-27",0.41577,{"date":254,"score":242,"percentile":255},"2025-11-28",0.4155,{"date":257,"score":258,"percentile":259},"2025-11-29",0.00258,0.48849,{"date":261,"score":258,"percentile":262},"2025-11-30",0.48835,{"date":264,"score":265,"percentile":266},"2025-12-01",0.00109,0.29925,{"date":268,"score":265,"percentile":269},"2025-12-02",0.29955,{"date":271,"score":265,"percentile":272},"2025-12-03",0.29961,{"date":274,"score":258,"percentile":275},"2025-12-04",0.48839,{"date":277,"score":258,"percentile":278},"2025-12-05",0.4886,{"date":280,"score":258,"percentile":281},"2025-12-06",0.48862,{"date":283,"score":258,"percentile":284},"2025-12-07",0.48848,{"date":286,"score":258,"percentile":287},"2025-12-08",0.48853,{"date":289,"score":258,"percentile":290},"2025-12-09",0.48875,{"date":292,"score":258,"percentile":293},"2025-12-10",0.48938,{"date":295,"score":258,"percentile":296},"2025-12-11",0.48956,{"date":298,"score":258,"percentile":299},"2025-12-12",0.4898,{"date":301,"score":258,"percentile":302},"2025-12-13",0.48963,{"date":304,"score":258,"percentile":305},"2025-12-14",0.48952,{"date":307,"score":258,"percentile":308},"2025-12-15",0.48935,{"date":310,"score":258,"percentile":311},"2025-12-16",0.48944,{"date":313,"score":258,"percentile":314},"2025-12-17",0.48968,{"date":316,"score":258,"percentile":317},"2025-12-18",0.49011,{"date":319,"score":258,"percentile":320},"2025-12-19",0.4902,{"date":322,"score":258,"percentile":323},"2025-12-20",0.49036,{"date":325,"score":258,"percentile":326},"2025-12-21",0.49008,{"date":328,"score":258,"percentile":329},"2025-12-22",0.48995,{"date":331,"score":258,"percentile":332},"2025-12-23",0.48993,{"date":334,"score":258,"percentile":335},"2025-12-24",0.49005,{"date":337,"score":258,"percentile":338},"2025-12-25",0.49057,{"date":340,"score":258,"percentile":341},"2025-12-26",0.49047,{"date":343,"score":344,"percentile":345},"2025-12-27",0.00272,0.5041,{"date":347,"score":258,"percentile":348},"2025-12-28",0.48986,{"date":350,"score":258,"percentile":351},"2025-12-29",0.48969,{"date":353,"score":344,"percentile":354},"2025-12-30",0.50374,{"date":356,"score":344,"percentile":357},"2025-12-31",0.50412,{"date":359,"score":360,"percentile":361},"2026-01-01",0.00116,0.31186,{"date":363,"score":360,"percentile":364},"2026-01-02",0.31175,{"date":366,"score":360,"percentile":367},"2026-01-03",0.31156,{"date":369,"score":344,"percentile":370},"2026-01-04",0.50375,{"date":372,"score":344,"percentile":373},"2026-01-05",0.50358,{"date":375,"score":344,"percentile":376},"2026-01-06",0.50365,{"date":378,"score":344,"percentile":370},"2026-01-07",{"date":380,"score":344,"percentile":381},"2026-01-08",0.504,{"date":383,"score":344,"percentile":384},"2026-01-09",0.50383,{"date":386,"score":344,"percentile":387},"2026-01-10",0.5038,{"date":389,"score":344,"percentile":390},"2026-01-11",0.50359,{"date":392,"score":344,"percentile":393},"2026-01-12",0.50315,{"date":395,"score":344,"percentile":396},"2026-01-13",0.5029,{"date":398,"score":344,"percentile":399},"2026-01-14",0.50338,{"date":401,"score":344,"percentile":402},"2026-01-15",0.50342,{"date":404,"score":344,"percentile":405},"2026-01-16",0.50363,{"date":407,"score":344,"percentile":402},"2026-01-17",{"date":409,"score":344,"percentile":410},"2026-01-18",0.50317,{"date":412,"score":344,"percentile":413},"2026-01-19",0.50293,{"date":415,"score":344,"percentile":416},"2026-01-20",0.50292,{"date":418,"score":344,"percentile":413},"2026-01-21",{"date":420,"score":344,"percentile":421},"2026-01-22",0.503,{"date":423,"score":344,"percentile":424},"2026-01-23",0.5035,{"date":426,"score":344,"percentile":427},"2026-01-24",0.50356,{"date":429,"score":344,"percentile":430},"2026-01-25",0.50308,{"date":432,"score":344,"percentile":433},"2026-01-26",0.50282,{"date":435,"score":344,"percentile":436},"2026-01-27",0.50287,{"date":438,"score":344,"percentile":439},"2026-01-28",0.50299,{"date":441,"score":344,"percentile":442},"2026-01-29",0.50296,{"date":444,"score":344,"percentile":439},"2026-01-30",{"date":446,"score":344,"percentile":447},"2026-01-31",0.50305,{"date":449,"score":360,"percentile":450},"2026-02-01",0.30759,[452,457,464],{"source":138,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":453},{"baseScore":454,"baseSeverity":455,"vectorString":456,"impactScore":9,"exploitabilityScore":9},5.4,"MEDIUM","CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",{"source":132,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":458,"cvss_v4_0":462},{"baseScore":130,"baseSeverity":459,"vectorString":133,"impactScore":460,"exploitabilityScore":461},"HIGH",10,5.1,{"baseScore":454,"baseSeverity":455,"vectorString":463,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",{"source":139,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":465},{"baseScore":454,"baseSeverity":9,"vectorString":456,"impactScore":9,"exploitabilityScore":9},[467,476,486,491],{"ecosystem":9,"name":468,"vendor":469,"product":470,"cpe_part":471,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":472},"debian linux","debian","debian_linux","o",[473],{"version":474,"is_range":126,"range_type":475,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"11.0","cpe",{"ecosystem":9,"name":477,"vendor":478,"product":477,"cpe_part":479,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":480},"jinja","pallets","a",[481],{"version":482,"is_range":483,"range_type":138,"version_start":9,"version_start_type":9,"version_end":484,"version_end_type":485,"fixed_in":9},"\u003C 3.1.6",true,"3.1.6","excluding",{"ecosystem":9,"name":477,"vendor":487,"product":477,"cpe_part":479,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":488},"palletsprojects",[489],{"version":490,"is_range":483,"range_type":475,"version_start":9,"version_start_type":9,"version_end":484,"version_end_type":485,"fixed_in":9},"lt3.1.6",{"ecosystem":492,"name":493,"vendor":492,"product":493,"cpe_part":9,"purl_type":494,"purl_namespace":9,"purl_name":493,"source":9,"versions":495},"PyPI","jinja2","pypi",[496],{"version":497,"is_range":483,"range_type":498,"version_start":9,"version_start_type":9,"version_end":484,"version_end_type":485,"fixed_in":9},"lt3_1_6","ecosystem"]