CVE-2024-56363
CVE-2024-56363 is a high-severity vulnerability with a CVSS 3.x base score of 7.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-97.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- EPSS exploit prediction: 0% (25th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-53129
- Weakness: CWE-97
- Published:
- Last modified:
Description
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. In 1.0, there is a vulnerability in the web application's handling of user-supplied input that is incorporated into a Jinja2 template. Specifically, when user input is improperly sanitized or validated, an attacker can inject Jinja2 syntax into the template, causing the server to execute arbitrary code. For example, an attacker might be able to inject expressions like {{ config }}, {{ self.class.mro[1].subclasses() }}, or more dangerous payloads that trigger execution of arbitrary Python code. The vulnerability can be reproduced by submitting crafted input to all the template fields handled by ckeditor, that are passed directly to a Jinja2 template. If the input is rendered without sufficient sanitization, it results in the execution of malicious Jinja2 code on the server.
Frequently asked questions
- What is CVE-2024-56363?
- APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. In 1.0, there is a vulnerability in the web application's handling of user-supplied input that is incorporated into a Jinja2 template. Specifically, when user input is improperly sanitized or validated, an attacker can inject Jinja2 syntax into the template, causing the server to execute arbitrary code. For example, an attacker might be able to inject expressions like {{ config }}, {{ self.class.mro[1].subclasses() }}, or more dangerous payloads that trigger execution of arbitrary Python code. The vulnerability can be reproduced by submitting crafted input to all the template fields handled by ckeditor, that are passed directly to a Jinja2 template. If the input is rendered without sufficient sanitization, it results in the execution of malicious Jinja2 code on the server.
- How severe is CVE-2024-56363?
- CVE-2024-56363 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-56363 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-56363?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-56363 have an EU (EUVD) identifier?
- Yes. CVE-2024-56363 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-53129.
- When was CVE-2024-56363 published?
- CVE-2024-56363 was published on 2024-12-23 and last updated on 2026-06-17.
References
- https://github.com/APTRS/APTRS/commit/9f6b6e4a56a9119eb12126a4909441e83b6d7c11
- https://github.com/APTRS/APTRS/security/advisories/GHSA-h4w2-hvcg-938j
Other CWE-97 vulnerabilities
- CVE-2025-35996 — Critical (CVSS 9.0): KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special…
- CVE-2025-21103 — High (CVSS 7.8): Dell NetWorker Management Console, version(s) 19.11 through 19.11.0.3 & Versions prior to 19.10.0.7 contain(s) an…
- CVE-2023-53934 — High (CVSS 7.5): A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted…
- CVE-2024-37621 — High (CVSS 7.2): StrongShop v1.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the component…
- CVE-2024-29686 — High (CVSS 7.2): Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary…
- CVE-2025-36558 — Medium (CVSS 6.1): KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for…