Description
JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks.
Published: 2026-03-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

JumpServer, an open source bastion host, has a Server‑Side Template Injection vulnerability in its Applet and VirtualApp upload process. The flaw arises from unsandboxed Jinja2 template rendering of user‑supplied YAML manifests. Attackers with administrative privileges can inject Jinja2 expressions that are evaluated inside the core container, yielding arbitrary code execution on the host. This directly jeopardizes confidentiality, integrity, and availability of the JumpServer environment and any systems managed through it.

Affected Systems

The affected product is JumpServer (identified by the CPE cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*). No specific affected version ranges are listed in the CVE data; therefore, all releases containing the vulnerable Applet/VirtualApp upload logic may be impacted.

Risk and Exploitability

The CVSS score of 6.8 indicates a medium‑to‑high risk. The EPSS score of less than 1% suggests that exploitation is uncommon, and the vulnerability is not listed in the CISA KEV catalogue. However, because exploitation requires administrative access to upload privileged package manifests, the threat is limited to trusted accounts; if such access is compromised, an attacker can trivially execute arbitrary code within the core container, making the vulnerability a serious threat to privileged users.

Generated by OpenCVE AI on March 18, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JumpServer to the latest patched release that removes unsandboxed Jinja2 rendering of uploaded YAML.
  • If an update is not immediately available, restrict administrative privileges so that only trusted users may upload Applet or VirtualApp packages.
  • Monitor for failed upload attempts or anomalous Jinja2-like expressions in the audit logs.
  • Verify that Jinja2 rendering has been sandboxed or disabled for uploaded content.

Generated by OpenCVE AI on March 18, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Fit2cloud
Fit2cloud jumpserver
CPEs cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*
Vendors & Products Fit2cloud
Fit2cloud jumpserver

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jumpserver
Jumpserver jumpserver
Vendors & Products Jumpserver
Jumpserver jumpserver

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks.
Title JumpServer has a Server-Side Template Injection Leading to RCE via YAML Rendering
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Fit2cloud Jumpserver
Jumpserver Jumpserver
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T19:44:51.850Z

Reserved: 2026-03-09T19:02:25.013Z

Link: CVE-2026-31864

cve-icon Vulnrichment

Updated: 2026-03-13T19:44:48.625Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:36.803

Modified: 2026-03-18T13:09:28.853

Link: CVE-2026-31864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:14Z

Weaknesses