CVE-2026-31864
Received Received - Intake
Server-Side Template Injection in JumpServer Applet Uploads

Publication date: 2026-03-13

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privileges (Application Applet Management or Virtual Application Management permissions). Attackers can exploit this vulnerability to execute arbitrary code within the JumpServer Core container. The vulnerability arises from unsafe use of Jinja2 template rendering when processing user-uploaded YAML configuration files. When a user uploads an Applet or VirtualApp ZIP package, the manifest.yml file is rendered through Jinja2 without sandbox restrictions, allowing template injection attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31864
EUVD
EUVD-2026-12085
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fit2cloud jumpserver to 3.10.22 (exc)
fit2cloud jumpserver From 4.0.0 (inc) to 4.10.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31864 is a Server-Side Template Injection (SSTI) vulnerability in JumpServer, an open source bastion host and security audit system.

The vulnerability exists in the Applet and VirtualApp upload functionality, specifically when processing user-uploaded YAML configuration files (manifest.yml) inside ZIP packages.

The issue arises because JumpServer uses Jinja2 template rendering without sandbox restrictions to process these YAML files, allowing malicious template payloads to execute arbitrary code.

Only users with administrative privileges (Applet or Virtual Application Management permissions) can exploit this vulnerability by uploading a specially crafted manifest.yml file containing malicious Jinja2 template code.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code within the JumpServer Core container.

This can lead to theft of sensitive information from all managed hosts or manipulation of the database.

Because the attacker needs administrative privileges, the risk is limited to users with Applet or Virtual Application Management permissions, but the impact on confidentiality, integrity, and availability is high.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves monitoring the upload API endpoints for suspicious activity, especially uploads of Applet or VirtualApp ZIP packages containing malicious manifest.yml files.

Specifically, you should audit users with administrative privileges who have Applet or Virtual Application Management permissions, as exploitation requires these privileges.

While no explicit commands are provided, you can monitor HTTP POST requests to the following endpoints for unusual or unexpected uploads:

  • POST /api/v1/terminal/applets/upload/
  • POST /api/v1/terminal/virtual-apps/upload/

You may use network monitoring tools or web server logs to filter and analyze requests to these endpoints for suspicious payloads, such as manifest.yml files containing Jinja2 template expressions.

Mitigation Strategies

The primary mitigation is to upgrade JumpServer to patched versions v3.10.22, v4.10.16, or later, where the vulnerability has been fixed by sandboxing the Jinja2 template rendering environment.

If immediate upgrade is not possible, you should:

  • Restrict access to Applet and VirtualApp management permissions to trusted administrators only.
  • Monitor the upload API endpoints for suspicious or unauthorized uploads.
  • Audit users with application management privileges regularly to detect any unauthorized activity.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart