Lydxn

**Name of the Vulnerable Software and Affected Versions** Jinja versions prior to 3.1.5 **Description** Jinja is an extensible templating engine. An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the issue, an attacker needs to control the content of a template, which depends on the type of application using Jinja. This affects users of applications that execute untrusted templates. Jinja's sandbox catches calls to `str.format` but does not prevent storing a reference to a malicious string's `format` method and passing it to a filter that calls it. Custom filters in an application could be used to exploit this. **Recommendations** For versions prior to 3.1.5, update to version 3.1.5 or later to fix the vulnerability. As a temporary workaround, consider restricting the use of custom filters in applications that execute untrusted templates.