CVE-2025-27516 — Improper Neutralization of Special Elements Used in a Template Engine in Jinja
CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine11 documents9 sources
Severity
5.4MEDIUMNVD
EPSS
0.2%
top 63.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 5
Latest updateJul 15
Description
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does c…
CVSS vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Packages4 packages
Also affects: Debian Linux 11.0
Patches
🔴Vulnerability Details
4📋Vendor Advisories
6Oracle▶
Oracle Oracle Communications Risk Matrix: Alarms, KPI, and Measurements (Jinja) — CVE-2025-27516↗2025-04-15