GHSA-frv4-x25r-588m: Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment
Summary
Giskard Agents contain a server-side template injection vulnerability in the `ChatWorkflow.chat()` method, which treats user input as Jinja2 template code (a templating language that processes special syntax) instead of plain text. If a developer passes user-provided data directly to this method, an attacker can execute arbitrary code on the server by embedding malicious Jinja2 syntax in their input.
Solution / Mitigation
Update to giskard-agents version 0.3.4 (stable branch) or 1.0.2b1 (pre-release branch). The fix replaces the unsandboxed Jinja2 Environment with SandboxedEnvironment, which blocks access to attributes starting with underscores and prevents the class traversal attacks that enable remote code execution.
Vulnerability Details
EPSS: 0.0%
Yes
March 27, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://github.com/advisories/GHSA-frv4-x25r-588m
First tracked: March 28, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 92%