CVE-2026-0685
Received Received - Intake
Server-Side Template Injection in Genshi 0.7.9 Leads to RCE

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: CERT/CC

Description
Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-0685
EUVD
EUVD-2026-39792
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
edgewall genshi 0.7.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0685 is a Server-Side Template Injection (SSTI) vulnerability in the Genshi Template Engine version 0.7.9. Genshi evaluates template expressions using Python's 'eval()' and 'exec()' functions, which allows fallback access to Python built-in objects if a variable is not found in the template data.

An attacker who can control template expressions can exploit this behavior to execute arbitrary Python code on the server. This happens because Genshi processes expressions like ${…} through an internal evaluation mechanism that can access functions such as 'globals()' and 'import', enabling the attacker to chain calls and achieve remote code execution.

Impact Analysis

This vulnerability can have severe impacts because it allows remote code execution (RCE) on the affected server with the privileges of the running application.

  • Execution of arbitrary operating system commands.
  • Deployment of reverse shells or web shells to maintain persistent access.
  • Unauthorized access to sensitive data stored or processed by the server.
  • Full compromise of the affected server, potentially leading to further attacks within the network.
Detection Guidance

Detection of this Server-Side Template Injection (SSTI) vulnerability involves identifying if untrusted input is being evaluated by the Genshi template engine using Python's eval() or exec() functions. Since the vulnerability arises from crafted template expressions that lead to remote code execution, detection can focus on monitoring template inputs and outputs for suspicious expressions.

Specific commands are not provided in the available resources. However, general detection methods may include:

  • Reviewing application logs for template expressions containing suspicious Python built-in functions like globals(), import, or eval.
  • Using network monitoring tools to detect unusual outbound connections or command execution attempts originating from the server running Genshi.
  • Testing the application with crafted template expressions to see if arbitrary code execution is possible, for example by injecting payloads that attempt to execute system commands.
Mitigation Strategies

Immediate mitigation steps for this vulnerability include preventing untrusted users from controlling template expressions and avoiding the use of eval() or exec() on untrusted input within the Genshi template engine.

  • Restrict access to Python built-in functions during template evaluation to prevent attackers from chaining calls to execute arbitrary code.
  • Render user-defined templates in a hardened sandbox environment to limit the impact of malicious template expressions.
  • Monitor and audit template inputs to ensure they do not contain malicious expressions.
  • Since no official patch is available as of the publication date, consider applying application-level controls to restrict template expression inputs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart