CVE-2026-2969
Received Received - Intake
Template Injection Vulnerability in datapizza-ai Jinja2 Handler

Publication date: 2026-02-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special elements used in a template engine. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2969
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
datapizza datapizza_ai 0.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-791 The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2969 is a Server Side Template Injection (SSTI) vulnerability found in version 0.0.2 of the datapizza-labs datapizza-ai software. It affects the ChatPromptTemplate function in the datapizza-ai-core/datapizza/modules/prompt/prompt.py file, specifically in the Jinja2 Template Handler component.

The vulnerability arises because the application uses the Jinja2 template engine to compile and render user-controlled templates without proper sanitization or sandboxing. This improper neutralization of special elements in the template allows attackers to inject malicious Jinja2 expressions.

An attacker can exploit this flaw remotely by injecting crafted templates that execute arbitrary system commands on the server, such as creating files or listing directory contents, effectively allowing full server takeover.

Impact Analysis

This vulnerability can have severe impacts including full compromise of the affected system. Attackers who control prompt templates can execute arbitrary system commands remotely, potentially gaining complete control over the server.

  • Remote command execution on the server.
  • Complete subversion of the application’s behavior.
  • Potential reverse shell access and full server takeover.
  • Compromise of confidentiality, integrity, and availability of the system.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable datapizza-ai version 0.0.2 and specifically the use of the ChatPromptTemplate function in the file datapizza-ai-core/datapizza/modules/prompt/prompt.py that uses Jinja2 templates without proper sanitization.'}, {'type': 'paragraph', 'content': "Detection can also involve looking for signs of Server Side Template Injection (SSTI) exploitation attempts, such as unusual template rendering behavior or unexpected files created by commands like 'touch pwned1' or 'touch pwned2' on the server."}, {'type': 'paragraph', 'content': "A practical approach is to attempt to inject Jinja2 expressions remotely (in a controlled and authorized environment) to see if arbitrary commands can be executed, for example by injecting payloads that execute commands like 'ls -alh' or create files."}, {'type': 'paragraph', 'content': "Specific commands to detect exploitation attempts or verify vulnerability include checking for the presence of suspicious files created by exploits (e.g., 'pwned1', 'pwned2') using:"}, {'type': 'list_item', 'content': 'ls -alh | grep pwned'}, {'type': 'list_item', 'content': "find / -name 'pwned*' 2>/dev/null"}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for unusual requests containing Jinja2 template syntax or payloads targeting the ChatPromptTemplate endpoint may help detect exploitation attempts.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include avoiding the use of the vulnerable datapizza-ai version 0.0.2 or replacing the affected component with an alternative product.'}, {'type': 'paragraph', 'content': "If continuing to use the affected software, modify the code to use Jinja2's sandboxed environment to safely render templates instead of directly using jinja2.Template with untrusted input."}, {'type': 'paragraph', 'content': 'Ensure that any user-controlled input used in template rendering is properly sanitized and neutralized to prevent injection of malicious template expressions.'}, {'type': 'paragraph', 'content': 'Since the vendor has not responded and no official patch is available, consider restricting access to the vulnerable functionality to trusted users only and monitor for exploitation attempts.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart