{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5559", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-04T13:54:35.492Z", "datePublished": "2026-04-05T10:15:15.559Z", "dateUpdated": "2026-04-06T16:19:35.483Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T10:15:15.559Z"}, "title": "AntaresMugisho PyBlade AST Validation sandbox.py _is_safe_ast special elements used in a template engine", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1336", "lang": "en", "description": "Improper Neutralization of Special Elements Used in a Template Engine"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-791", "lang": "en", "description": "Incomplete Filtering of Special Elements"}]}], "affected": [{"vendor": "AntaresMugisho", "product": "PyBlade", "versions": [{"version": "0.1.8-alpha", "status": "affected"}, {"version": "0.1.9-alpha", "status": "affected"}], "modules": ["AST Validation"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function _is_safe_ast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-04T15:59:40.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "zhangxinyu06 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355329", "name": "VDB-355329 | AntaresMugisho PyBlade AST Validation sandbox.py _is_safe_ast special elements used in a template engine", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355329/cti", "name": "VDB-355329 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782904", "name": "Submit #782904 | AntaresMugisho PyBlade v0.1.8-alpha through v0.2.0-alph Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AntaresMugisho/PyBlade/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/AntaresMugisho/PyBlade/issues/1#issue-4086730906", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/AntaresMugisho/PyBlade/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T16:19:26.099230Z", "id": "CVE-2026-5559", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:19:35.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "AntaresMugisho PyBlade AST Validation sandbox.py _is_safe_ast special elements used in a template engine", "credits": [{"lang": "en", "type": "reporter", "value": "zhangxinyu06 (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "AntaresMugisho", "modules": ["AST Validation"], "product": "PyBlade", "versions": [{"status": "affected", "version": "0.1.8-alpha"}, {"status": "affected", "version": "0.1.9-alpha"}]}], "timeline": [{"lang": "en", "time": "2026-04-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-04T15:59:40.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355329", "name": "VDB-355329 | AntaresMugisho PyBlade AST Validation sandbox.py _is_safe_ast special elements used in a template engine", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355329/cti", "name": "VDB-355329 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782904", "name": "Submit #782904 | AntaresMugisho PyBlade v0.1.8-alpha through v0.2.0-alph Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AntaresMugisho/PyBlade/issues/1", "tags": ["issue-tracking"]}, {"url": "https://github.com/AntaresMugisho/PyBlade/issues/1#issue-4086730906", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/AntaresMugisho/PyBlade/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function _is_safe_ast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "Improper Neutralization of Special Elements Used in a Template Engine"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-791", "description": "Incomplete Filtering of Special Elements"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T10:15:15.559Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5559", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T16:19:26.099230Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-06T16:19:31.227Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-5559", "state": "PUBLISHED", "dateUpdated": "2026-04-05T10:15:15.559Z", "dateReserved": "2026-04-04T13:54:35.492Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T10:15:15.559Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function _is_safe_ast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5559", "lastModified": "2026-04-05T11:16:55.900", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T11:16:55.900", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/AntaresMugisho/PyBlade/"}, {"source": "cna@vuldb.com", "url": "https://github.com/AntaresMugisho/PyBlade/issues/1"}, {"source": "cna@vuldb.com", "url": "https://github.com/AntaresMugisho/PyBlade/issues/1#issue-4086730906"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/782904"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355329"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355329/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-791"}, {"lang": "en", "value": "CWE-1336"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.8-alpha"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.9-alpha"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PyBlade", "source": "cna", "vendor": "AntaresMugisho"}, "product": "pyblade", "vendor": "antaresmugisho"}], "analysis": {"en": {"generated_at": "2026-04-05T14:21:22.656958+00:00", "value": {"mitigation_remediation": ["Apply the official vendor patch for PyBlade when it becomes available.", "Until a patch is released, limit PyBlade usage to strictly trusted templates and avoid rendering user\u2011supplied content.", "Sanitise any template input or disable features that allow special element processing within the engine.", "Monitor the project's repository and security advisories for updates, and apply the patch promptly when released."], "summary": {"action": "Apply Patch", "impact": "Template Injection"}, "threat_synthesis": {"affected_systems": "The product impacted is AntaresMugisho PyBlade, specifically the 0.1.8\u2011alpha and 0.1.9\u2011alpha releases. No other vendors or product variations are recorded as affected.", "description_and_impact": "The flaw lies in the _is_safe_ast routine of AntaresMugisho PyBlade, where custom abstract\u2011syntax\u2011tree elements are not correctly neutralised by the sandbox during rendering. This oversight allows an attacker to inject syntax that the engine processes as ordinary code, potentially enabling code execution or other malicious behaviours. The advisory confirms the vulnerability can be leveraged remotely by submitting crafted templates, so an attacker does not need local filesystem access to initiate the attack.", "risk_and_exploitability": "The CVSS score of 5.3 positions the vulnerability as moderate severity. Though an EPSS estimate is not publicly available, the issue has been publicly disclosed and is not listed in the CISA KEV catalogue, meaning attackers may still target it. The remote nature of the attackable vector increases its threat profile, and the absence of an available vendor patch keeps the risk persistent until remediation is applied."}}}}, "created": "2026-04-06T20:26:20.339593+00:00", "updated": "2026-04-06T21:56:54.549869+00:00", "vendors": ["antaresmugisho", "antaresmugisho$PRODUCT$pyblade"]}