cbcvebase.
CVE-2024-46507
published 2026-05-08

CVE-2024-46507: A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute…

PriorityP278high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
3.92%
89.0th percentile
A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.

Affected

1 ranges
VendorProductVersion rangeFixed in
yeti-platformyeti>= 2.0 < 2.1.122.1.12

Detection & IOCsextracted from sources · hover to see the quote

url/api/v2/auth/token
url/api/v2/templates/
url/api/v2/templates/render
cookieyeti_session=eyJ
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v2/templates/"; fast_pattern; http.cookie; content:"yeti_session|3d|eyJ"; http.request_body; content:"|22|template|22 3a|"; content:"|7b 25|"; distance:0; pcre:"/^[^\x2e]*?(?:\x2e\x5f{1,2}\w+)+[\x28\x5b]/R"; reference:url,github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-46507; reference:cve,2024-45607; classtype:web-application-attack; sid:2059842; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_03, cve CVE_2024_45607, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|template|22 3a|
bytes
|7b 25|
  • The Snort/Suricata PCRE `/^[^\x2e]*?(?:\x2e\x5f{1,2}\w+)+[\x28\x5b]/R` matches Python dunder-attribute traversal chains (e.g., .__class__.__base__) in the request body, which is the core SSTI gadget pattern.
  • Exploitation requires authentication first. Monitor for POST to /api/v2/auth/token followed shortly by POST to /api/v2/templates/ and /api/v2/templates/render from the same source IP.
  • The exploit flow is: (1) authenticate, (2) create a malicious template via POST /api/v2/templates/, (3) create an observable, (4) render the template via POST /api/v2/templates/render. Alerting on this 4-step sequence is a high-fidelity detection.
  • Session cookie prefix 'yeti_session=eyJ' (base64-encoded JSON JWT) is present in exploit traffic; can be used as an additional filter in HTTP-layer detections.
  • The Jinja2 template block opener |7b 25| ({%) in the request body to /api/v2/templates/ is a strong indicator of template injection attempt.
  • ·The Snort rule references CVE-2024-45607 in its metadata/msg but the actual vulnerability being exploited is CVE-2024-46507. Ensure SID 2059842 is mapped to the correct CVE in your SIEM/IDS.
  • ·The Nuclei PoC template requires valid credentials (username/password variables) to authenticate before exploiting. Detection rules should account for authenticated SSTI attempts, not just unauthenticated probes.
  • ·The Snort rule specifies 'tls_state TLSDecrypt' in metadata, meaning it will only fire on decrypted TLS traffic. Deploy with SSL inspection enabled or supplement with endpoint-level detection for encrypted environments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.