CVE-2024-37301

CRITICAL Year: 2024
CVSS v3 Score
9.9
Critical
Weakness Type
CWE-1336
View all →

Vulnerability Description

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.

Related Vulnerabilities

CVE-2024-12583

CRITICAL
CVSS:9.9(Critical)

The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. T...

CWE-13362024

CVE-2025-23211

CRITICAL
CVSS:9.9(Critical)

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the p...

CWE-13362025

CVE-2025-32461

CRITICAL
CVSS:9.9(Critical)

wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.

CWE-13362025

CVE-2023-6709

CRITICAL
CVSS:10.0(Critical)

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CWE-13362023

CVE-2024-23692

CRITICAL
CVSS:9.8(Critical)

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary comma...

CWE-13362024

CVE-2024-24724

CRITICAL
CVSS:9.8(Critical)

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messeng...

CWE-13362024