Server-Side Template Injection


The application is vulnerable to Server-Side Template Injection (SSTI), which enables attackers to manipulate templates on the server side. This vulnerability arises when untrusted user input is directly used in server-side templates without adequate sanitization. Attackers can exploit this weakness to inject and execute arbitrary code in templates, potentially compromising the system’s integrity and confidentiality.


User-controlled data should always have special elements neutralized when used as part of constructing Expression Language statements. Consult the documentation for the template system in use on how properly neutralize user-controlled data.


ID Aggregated CWE Type Risk
1336.1 false 1336 Active high