Description
A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server side template injection flaw in the custom template export function of yeti-platform yeti allows an attacker to inject malicious template content, which is then rendered and executed on the application server. This leads to code execution under the privileges of the web process, enabling full compromise of confidentiality and integrity of data stored on or processed by the server.

Affected Systems

Versions of yeti-platform yeti before 2.1.12 are impacted. No vendor or product names are available from the CNA; the flaw resides entirely within the application code of this platform.

Risk and Exploitability

The EPSS score is not available, but the vulnerability permits remote code execution and is therefore considered high risk. It is not listed in the CISA KEV catalog. The likely attack vector involves any user who can trigger the export function—either authenticated or unauthenticated depending on the platform’s access controls. Exploitation would require the attacker to supply crafted template data to the export endpoint, causing the server to evaluate and run that code.

Generated by OpenCVE AI on May 8, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade yeti-platform to version 2.1.12 or later to eliminate the vulnerability.
  • If an upgrade is not immediately possible, restrict or remove access to the custom template export endpoint from external traffic.
  • Implement input validation and sanitization on all template data received by the application to prevent malicious content from being rendered.

Generated by OpenCVE AI on May 8, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Server Side Template Injection in Yeti Custom Template Export Allows Remote Code Execution
Weaknesses CWE-94

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T05:17:38.541Z

Reserved: 2024-09-11T00:00:00.000Z

Link: CVE-2024-46507

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T06:16:09.840

Modified: 2026-05-08T06:16:09.840

Link: CVE-2024-46507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T06:30:46Z

Weaknesses