{"data":{"id":"fecc9365-42bf-48ff-958c-3284c8c3e535","title":"GHSA-gphh-9q3h-jgpp: banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI","summary":"The `banks` library version 2.4.1 and earlier has a critical Remote Code Execution vulnerability because it uses an unsandboxed Jinja2 environment (a template engine that processes text with special syntax) to render prompt templates. If an application accepts user-supplied strings as templates and passes them to the `Prompt()` function, attackers can inject malicious template code to execute arbitrary commands on the server.","solution":"Fixed in `banks 2.4.2` by switching to `jinja2.sandbox.SandboxedEnvironment`, which blocks the dunder attribute traversal chain (accessing internal Python object properties using double underscores) that the exploit relies on. Developers using `banks <= 2.4.1` should upgrade to version 2.4.2 and avoid passing untrusted user input as the template argument to `Prompt()`.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-gphh-9q3h-jgpp","publishedAt":"2026-05-08T20:36:22.000Z","cveId":"CVE-2026-44209","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":["banks@<= 2.4.1 (fixed: 2.4.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["banks","Haystack","spacy-llm"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-08T20:36:22.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}