CVE-2025-27516HIGH 8.8EPSS p36.7%

CVE-2025-27516CVE-2025-27516

Description

Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.7% · 2026-06-18T12:00:27Z
Published2025-03-05
Last modified2025-11-03

Underlying weaknesses· 1

CWE-1336

References

  1. https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
  2. https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7
  3. https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
  4. https://lists.debian.org/debian-lts-announce/2025/04/msg00045.html

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25526
CVE
CVE-2026-33154
CVE
CVE-2025-59340
CVE
CVE-2026-35044
CVE
CVE-2026-45017
CVE
CVE-2026-24425
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.