Server Side Template Injection
- Risk:
High
- Type:
- Active
- CWE:
- CWE-94
- Summary
When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution.
- Solution
Instead of inserting the user input in the template, use it as rendering argument.
New CoPhish attack steals OAuth tokens via Copilot Studio agents
New 'CoPhish' technique wraps OAuth phishing in Microsoft Copilot
Hackers launch mass attacks exploiting outdated WordPress plugins
Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation
Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation
Critical WSUS flaw in Windows Server now exploited in attacks
APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign
Mozilla: New Firefox extensions must disclose data collection practices
CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
InformationalStorable but Non-Cacheable Content
InformationalObsolete Content Security Policy (CSP) Header Found
InformationalGraphQL Endpoint Supports Introspection
LowInsufficient Site Isolation Against Spectre Vulnerability
HighPath Traversal
MediumProxy Disclosure
MediumDirectory Browsing
Free online web security scanner