{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/244846#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA Server-Side Template Injection (SSTI) vulnerability exists in the Genshi template engine due to unsafe evaluation of template expressions. Genshi processes template expressions using Python’s 'eval()’ and ‘exec()’ functions while allowing fallback access to Python built-in objects. If an attacker can influence template expressions, this behavior can result in arbitrary code execution on the server.\r\n\r\n### Description\r\nGenshi is a Python library developed by Edgewall, it provides an integrated set of components for parsing, generating, and processing HTML, XML, or other textual content for output generation on the web. Genshi is most used to render dynamic web pages in Python web frameworks.\r\n\r\nGenshi evaluates template expressions, such as ${…}, through an internal expression evaluation mechanism implemented in Genshi’s ‘eval.py’. \r\nDuring expression evaluation, variable resolution is performed by the ‘lookupname()’ method. If a variable is not found in the provided template data, Genshi falls back to resolving the name from Python’s built-in namespace. This namespace includes powerful built-in functions such as globals() ’   and ‘__import__’.\r\nAs a result, when an attacker can control or inject template expressions, they may access Python built-in functions and chain them to achieve arbitrary code execution. \r\n\r\n### Impact\r\nIf an attacker can influence or inject template expressions, this vulnerability allows arbitrary code execution with the privileges of the running application. Potential impacts include executing operating commands, deploying reverse shells or web shells, unauthorized access to sensitive data, or full compromise of the affected server. This issue effectively turns SSTI into Remote Code Execution (RCE). \r\n\r\n### Solution\r\nAt the time of publication, Genshi has not released an update addressing this issue. Until an official patch or guidance is provided by the vendor, the following mitigations are recommended:\r\n\r\n1. Do not allow untrusted users to control template expressions or template sources. Templates must be treated as executable code.\r\n\r\n2. Restrict or eliminate access to Python built-ins during template evaluation.\r\n\r\n3. Avoid using ‘eval()’ or ‘exec()’ on dynamically constructed expressions when untrusted input is involved.\r\n\r\n4. If user-defined templates are required, render them in a hardened sandbox environment.    \r\n\r\n\r\n### Acknowledgements\r\nThanks to the reporter Jangwoo Choe. This document was written by Michael Bragg.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/244846"},{"url":"https://github.com/edgewall/genshi/","summary":"https://github.com/edgewall/genshi/"}],"title":"Server-Side Template Injection (SSTI) vulnerability exist in Genshi","tracking":{"current_release_date":"2026-01-20T16:41:18+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#244846","initial_release_date":"2026-01-20 13:33:35.968440+00:00","revision_history":[{"date":"2026-01-20T16:41:18+00:00","number":"1.20260120164118.4","summary":"Released on 2026-01-20T16:41:18+00:00"}],"status":"final","version":"1.20260120164118.4"}},"vulnerabilities":[{"title":"Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.","notes":[{"category":"summary","text":"Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions."}],"cve":"CVE-2026-0685","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#244846"}]}],"product_tree":{"branches":[]}}