Improper Neutralization of Special Elements Used in a Template Engine
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User-supplied data from request objects (such as query, body, params, cookies, or headers) is being directly passed into template engines like Pug, EJS, or Handlebars without proper sanitization. This allows attackers to inject malicious code into server-side templates.
Impact#
If exploited, an attacker could execute arbitrary code on the server, access sensitive data, or compromise the entire application. This type of vulnerability can lead to data breaches, unauthorized access, and complete takeover of the server.