Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-8vr3-83b4-hqd2
Vulnerability ID VCID-8vr3-83b4-hqd2
Aliases CVE-2024-56326
GHSA-q2x7-8rv6-6q7h
Summary Jinja has a sandbox breakout through indirect reference to format method An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-693 Protection Mechanism Failure
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56326.json
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2024-56326
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q2x7-8rv6-6q7h
cvssv3.1 7.8 https://github.com/pallets/jinja
cvssv4 5.4 https://github.com/pallets/jinja
generic_textual MODERATE https://github.com/pallets/jinja
cvssv3.1 7.8 https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
cvssv4 5.4 https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
generic_textual MODERATE https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
ssvc Track https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
cvssv3.1 7.8 https://github.com/pallets/jinja/releases/tag/3.1.5
cvssv4 5.4 https://github.com/pallets/jinja/releases/tag/3.1.5
generic_textual MODERATE https://github.com/pallets/jinja/releases/tag/3.1.5
ssvc Track https://github.com/pallets/jinja/releases/tag/3.1.5
cvssv3.1 7.8 https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
cvssv3.1_qr MODERATE https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
cvssv4 5.4 https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
generic_textual MODERATE https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
ssvc Track https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
cvssv3.1 7.8 https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
cvssv4 5.4 https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
cvssv3.1 7.8 https://nvd.nist.gov/vuln/detail/CVE-2024-56326
cvssv4 5.4 https://nvd.nist.gov/vuln/detail/CVE-2024-56326
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-56326
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56326.json
https://api.first.org/data/v1/epss?cve=CVE-2024-56326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56326
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pallets/jinja
https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
https://github.com/pallets/jinja/releases/tag/3.1.5
https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
https://nvd.nist.gov/vuln/detail/CVE-2024-56326
1091331 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091331
2333856 https://bugzilla.redhat.com/show_bug.cgi?id=2333856
GHSA-q2x7-8rv6-6q7h https://github.com/advisories/GHSA-q2x7-8rv6-6q7h
RHSA-2025:0308 https://access.redhat.com/errata/RHSA-2025:0308
RHSA-2025:0335 https://access.redhat.com/errata/RHSA-2025:0335
RHSA-2025:0338 https://access.redhat.com/errata/RHSA-2025:0338
RHSA-2025:0341 https://access.redhat.com/errata/RHSA-2025:0341
RHSA-2025:0345 https://access.redhat.com/errata/RHSA-2025:0345
RHSA-2025:0656 https://access.redhat.com/errata/RHSA-2025:0656
RHSA-2025:0667 https://access.redhat.com/errata/RHSA-2025:0667
RHSA-2025:0711 https://access.redhat.com/errata/RHSA-2025:0711
RHSA-2025:0721 https://access.redhat.com/errata/RHSA-2025:0721
RHSA-2025:0722 https://access.redhat.com/errata/RHSA-2025:0722
RHSA-2025:0753 https://access.redhat.com/errata/RHSA-2025:0753
RHSA-2025:0777 https://access.redhat.com/errata/RHSA-2025:0777
RHSA-2025:0834 https://access.redhat.com/errata/RHSA-2025:0834
RHSA-2025:0842 https://access.redhat.com/errata/RHSA-2025:0842
RHSA-2025:0850 https://access.redhat.com/errata/RHSA-2025:0850
RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875
RHSA-2025:0883 https://access.redhat.com/errata/RHSA-2025:0883
RHSA-2025:0950 https://access.redhat.com/errata/RHSA-2025:0950
RHSA-2025:0951 https://access.redhat.com/errata/RHSA-2025:0951
RHSA-2025:0978 https://access.redhat.com/errata/RHSA-2025:0978
RHSA-2025:1101 https://access.redhat.com/errata/RHSA-2025:1101
RHSA-2025:1109 https://access.redhat.com/errata/RHSA-2025:1109
RHSA-2025:1118 https://access.redhat.com/errata/RHSA-2025:1118
RHSA-2025:1123 https://access.redhat.com/errata/RHSA-2025:1123
RHSA-2025:1130 https://access.redhat.com/errata/RHSA-2025:1130
RHSA-2025:1241 https://access.redhat.com/errata/RHSA-2025:1241
RHSA-2025:1250 https://access.redhat.com/errata/RHSA-2025:1250
RHSA-2025:1710 https://access.redhat.com/errata/RHSA-2025:1710
RHSA-2025:2399 https://access.redhat.com/errata/RHSA-2025:2399
RHSA-2025:2612 https://access.redhat.com/errata/RHSA-2025:2612
RHSA-2025:2700 https://access.redhat.com/errata/RHSA-2025:2700
RHSA-2025:3374 https://access.redhat.com/errata/RHSA-2025:3374
RHSA-2025:4576 https://access.redhat.com/errata/RHSA-2025:4576
USN-7244-1 https://usn.ubuntu.com/7244-1/
USN-7343-1 https://usn.ubuntu.com/7343-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56326.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pallets/jinja
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pallets/jinja
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-27T17:50:50Z/ Found at https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pallets/jinja/releases/tag/3.1.5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pallets/jinja/releases/tag/3.1.5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-27T17:50:50Z/ Found at https://github.com/pallets/jinja/releases/tag/3.1.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-27T17:50:50Z/ Found at https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-56326
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-56326
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.56438
EPSS Score 0.00336
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:50:08.944698+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q2x7-8rv6-6q7h/GHSA-q2x7-8rv6-6q7h.json 38.0.0