appsec.fyi — Server-Side Template Injection (SSTI) https://appsec.fyi/ssti.html Curated Server-Side Template Injection (SSTI) resources from appsec.fyi en-us Fri, 10 Apr 2026 21:32:17 +0000 carl@chs.us (Carl Sampson) GoSecure: Template Injection in Action workshop https://gosecure.github.io/template-injection-workshop/ https://gosecure.github.io/template-injection-workshop/ GoSecure: Template Injection in Action workshop Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:07 +0000 Jinja2 SSTI filter bypasses https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f Jinja2 SSTI filter bypasses Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:06 +0000 OnSecurity: Server Side Template Injection with Jinja2 https://onsecurity.io/article/server-side-template-injection-with-jinja2/ https://onsecurity.io/article/server-side-template-injection-with-jinja2/ OnSecurity: Server Side Template Injection with Jinja2 Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:06 +0000 Flask & Jinja2 SSTI cheatsheet https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti Flask & Jinja2 SSTI cheatsheet Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:05 +0000 Grav: SSTI via Twig escape handler advisory https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58 https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58 Grav: SSTI via Twig escape handler advisory Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:04 +0000 Exploit-DB: Twig 2.4.4 Server Side Template Injection https://www.exploit-db.com/exploits/44102 https://www.exploit-db.com/exploits/44102 Exploit-DB: Twig 2.4.4 Server Side Template Injection Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:03 +0000 OpenMetadata: FreeMarker SSTI in email templates leads to RCE https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7 https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7 OpenMetadata: FreeMarker SSTI in email templates leads to RCE Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:02 +0000 CVE-2023-49964: FreeMarker SSTI in Alfresco https://github.com/mbadanoiu/CVE-2023-49964 https://github.com/mbadanoiu/CVE-2023-49964 CVE-2023-49964: FreeMarker SSTI in Alfresco Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:02 +0000 GitHub Security Lab: SSTI in Apache Camel — CVE-2020-11994 https://securitylab.github.com/advisories/GHSL-2020-086-087-088-089-apache-camel/ https://securitylab.github.com/advisories/GHSL-2020-086-087-088-089-apache-camel/ GitHub Security Lab: SSTI in Apache Camel — CVE-2020-11994 Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:01 +0000 Breaking the Barrier: RCE via SSTI in FreeMarker https://medium.com/@armaanpathan/breaking-the-barrier-remote-code-execution-via-ssti-in-freemarker-template-engine-9797079752ac https://medium.com/@armaanpathan/breaking-the-barrier-remote-code-execution-via-ssti-in-freemarker-template-engine-9797079752ac Breaking the Barrier: RCE via SSTI in FreeMarker Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:00 +0000 Synack: Discovering an SSTI vulnerability in FreeMarker https://www.synack.com/exploits-explained/exploits-explained-discovering-a-server-side-template-injection-vuln-in-freemarker/ https://www.synack.com/exploits-explained/exploits-explained-discovering-a-server-side-template-injection-vuln-in-freemarker/ Synack: Discovering an SSTI vulnerability in FreeMarker Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:22:00 +0000 YesWeHack: Limitations are just an illusion — advanced SSTI exploitation with RCE everywhere https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation YesWeHack: Limitations are just an illusion — advanced SSTI exploitation with RCE everywhere Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:58 +0000 vladko312/SSTImap: Automatic SSTI detection tool with interactive interface https://github.com/vladko312/SSTImap https://github.com/vladko312/SSTImap vladko312/SSTImap: Automatic SSTI detection tool with interactive interface Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:57 +0000 epinna/tplmap: SSTI and Code Injection Detection and Exploitation Tool https://github.com/epinna/tplmap https://github.com/epinna/tplmap epinna/tplmap: SSTI and Code Injection Detection and Exploitation Tool Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:56 +0000 PayloadsAllTheThings SSTI: Java https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Java.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Java.md PayloadsAllTheThings SSTI: Java Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:55 +0000 PayloadsAllTheThings: Server Side Template Injection https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection PayloadsAllTheThings: Server Side Template Injection Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:54 +0000 HackTricks: Jinja2 SSTI https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti HackTricks: Jinja2 SSTI Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:53 +0000 HackTricks: SSTI (Server Side Template Injection) https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection HackTricks: SSTI (Server Side Template Injection) Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:52 +0000 OWASP Testing for Server Side Template Injection https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection OWASP Testing for Server Side Template Injection Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:52 +0000 Server-side template injection PortSwigger KB https://portswigger.net/kb/issues/00101080_server-side-template-injection https://portswigger.net/kb/issues/00101080_server-side-template-injection Server-side template injection PortSwigger KB Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:51 +0000 Exploiting server-side template injection vulnerabilities https://portswigger.net/web-security/server-side-template-injection/exploiting https://portswigger.net/web-security/server-side-template-injection/exploiting Exploiting server-side template injection vulnerabilities Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:50 +0000 Template Injection Research | PortSwigger Research https://portswigger.net/research/template-injection https://portswigger.net/research/template-injection Template Injection Research | PortSwigger Research Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:49 +0000 Server-Side Template Injection | PortSwigger Research https://portswigger.net/research/server-side-template-injection https://portswigger.net/research/server-side-template-injection Server-Side Template Injection | PortSwigger Research Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:48 +0000 Server-side template injection | Web Security Academy https://portswigger.net/web-security/server-side-template-injection https://portswigger.net/web-security/server-side-template-injection Server-side template injection | Web Security Academy Server-Side Template Injection (SSTI) Fri, 10 Apr 2026 21:21:48 +0000