Description
Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
Published: 2026-06-26
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Edgewall's Genshi Template Engine has a server‑side template injection flaw in its expression‑evaluation component that enables a remote attacker to supply crafted template expressions. The CVE description states that such expressions can lead to remote code execution, implying that rendering them may execute arbitrary Python code with the application's privileges.

Affected Systems

The flaw affects Edgewall Genshi version 0.7.9. No other versions are listed as impacted in the CNA data.

Risk and Exploitability

Although a CVSS score is not published and EPSS data is unavailable, the vulnerability is considered high as it permits unauthenticated remote code execution. It is inferred that exploitation requires an attacker to provide malicious template input, which can be done over the network via any interface that accepts unfiltered templates. The issue is not yet included in CISA's KEV catalog, but the potential impact makes it a top priority for remediation.

Generated by OpenCVE AI on June 26, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Genshi to a patched release that fixes the SSTI, or replace the engine with a template system that does not evaluate arbitrary expressions.
  • If immediate upgrade is not possible, configure Genshi to operate in safe mode or apply strict white‑listing of template constructs, and rigorously validate or sanitize all user‑supplied template data before rendering.
  • Run the template rendering in a restricted environment—such as a container with limited privileges or by dropping privileges before evaluation—to constrain the damage of any accidental code execution.

Generated by OpenCVE AI on June 26, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/edgewall/genshi/ cve-icon
History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
Title Server side template inject (SSTI) in Edgewall Genshi Template Engine
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-26T17:36:14.375Z

Reserved: 2026-01-07T19:12:01.099Z

Link: CVE-2026-0685

cve-icon Vulnrichment

Updated: 2026-06-26T15:50:40.957Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:15:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')