CVE-2026-29514

Source
https://cve.org/CVERecord?id=CVE-2026-29514
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29514.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-29514
Published
2026-05-04T16:05:33.894Z
Modified
2026-07-08T08:12:26.490752894Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin
Details

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.getenvironmentparams() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-183"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29514.json"
}
References

Affected packages

Git / github.com/netbox-community/netbox

Affected ranges

Type
GIT
Repo
https://github.com/netbox-community/netbox
Events
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "4.3.5"
        },
        {
            "fixed": "4.5.4"
        }
    ]
}

Affected versions

v4.*
v4.3.5
v4.3.6
v4.3.7
v4.4.0
v4.4.1
v4.4.10
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.10
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v4.5.8
v4.5.9
v4.6.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29514.json"