CVE-2026-44209 HIGH

CVE-2026-44209: Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI

Vendor Masci
Product banks
Weakness CWE-1336
Published May 26, 2026
Last update June 30, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This vulnerability is fixed in 2.4.2.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
June 30, 2026 Record updated