{"data":{"id":"db5b7ca6-0269-4452-9cfb-ff186507cc05","title":"GHSA-frv4-x25r-588m: Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment","summary":"Giskard Agents contain a server-side template injection vulnerability in the `ChatWorkflow.chat()` method, which treats user input as Jinja2 template code (a templating language that processes special syntax) instead of plain text. If a developer passes user-provided data directly to this method, an attacker can execute arbitrary code on the server by embedding malicious Jinja2 syntax in their input.","solution":"Update to giskard-agents version 0.3.4 (stable branch) or 1.0.2b1 (pre-release branch). The fix replaces the unsandboxed Jinja2 Environment with SandboxedEnvironment, which blocks access to attributes starting with underscores and prevents the class traversal attacks that enable remote code execution.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-frv4-x25r-588m","publishedAt":"2026-03-27T22:17:30.000Z","cveId":"CVE-2026-34172","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["giskard-agents@>= 1.0.1a1, <= 1.0.2a1 (fixed: 1.0.2b1)","giskard-agents@<= 0.3.3 (fixed: 0.3.4)"],"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Giskard","Giskard Agents"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-27T22:17:30.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}