Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/jinja2@3.1.6
purl pkg:pypi/jinja2@3.1.6
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-23hx-apt2-77bn Jinja2 vulnerable to sandbox breakout through attr filter selecting format method An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup. CVE-2025-27516
GHSA-cpwx-vrp4-4pq7

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-07T04:57:11.128143+00:00 GHSA Importer Fixing VCID-23hx-apt2-77bn https://github.com/advisories/GHSA-cpwx-vrp4-4pq7 38.1.0
2026-04-02T12:40:56.761391+00:00 GitLab Importer Fixing VCID-23hx-apt2-77bn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Jinja2/CVE-2025-27516.yml 38.0.0
2026-04-01T12:56:17.184291+00:00 GithubOSV Importer Fixing VCID-23hx-apt2-77bn https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-cpwx-vrp4-4pq7/GHSA-cpwx-vrp4-4pq7.json 38.0.0