CVE-2026-29514

Name of the Vulnerable Software and Affected Versions NetBox versions 4.3.5 through 4.5.4

Description An issue in the RenderTemplateMixin.get environment params() method allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code. By specifying malicious Python callables in the environment params field, attackers can bypass Jinja2 SandboxedEnvironment protections. This is achieved by setting the finalize parameter to an importable Python callable, such as subprocess.getoutput, which is then invoked on every rendered expression outside the sandbox's call interception mechanism, resulting in remote code execution as the NetBox service user.

Recommendations Update NetBox to a version later than 4.5.4. As a temporary workaround, restrict the exporttemplate and configtemplate permissions to only trusted users.