Server-Side Template Injection (SSTI)

Vulnerability Details

The application embeds user input into server-side templates without proper sanitization, allowing attackers to inject template directives that execute arbitrary code on the server.

Successful exploitation can lead to remote code execution, full server compromise, data exfiltration, and lateral movement within the infrastructure.

Never pass user input directly into template strings. Use logic-less template engines where possible. Sandbox template execution environments. Validate and sanitize all user input before template processing.

• https://portswigger.net/web-security/server-side-template-injection