Description
Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
Published: 2026-06-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Edgewall's Genshi Template Engine contains a server‑side template injection flaw in its expression‑evaluation component, allowing a remote attacker to supply crafted template expressions that trigger the evaluation of arbitrary Python code, leading to remote code execution.

Affected Systems

The flaw affects Edgewall Genshi version 0.7.9. No other versions are listed as impacted in the CNA data.

Risk and Exploitability

The CVSS score is 9.8, and EPSS data is unavailable. The vulnerability permits unauthenticated remote code execution. It is inferred that exploitation requires an attacker to provide malicious template input, which can be done over the network via any interface that accepts unfiltered templates. The high severity and remote code execution impact make it a top‑priority issue for remediation.

Generated by OpenCVE AI on June 26, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Genshi to a patched release that fixes the SSTI, or replace the engine with a template system that does not evaluate arbitrary expressions.
  • If immediate upgrade is not possible, configure Genshi to strict white‑listing of template constructs, and rigorously validate or sanitize all user‑supplied template data before rendering.
  • Run the template rendering in a restricted environment—such as a container with limited privileges or by dropping privileges before evaluation—to constrain the damage of any accidental code execution.

Generated by OpenCVE AI on June 26, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Edgewall
Edgewall genshi
Vendors & Products Edgewall
Edgewall genshi

Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 26 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
Title Server side template inject (SSTI) in Edgewall Genshi Template Engine
References

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-26T17:36:14.375Z

Reserved: 2026-01-07T19:12:01.099Z

Link: CVE-2026-0685

cve-icon Vulnrichment

Updated: 2026-06-26T15:50:40.957Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:06:30Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')