AIKIDO-2026-10264
wayflowcore is vulnerable to Server-side Template Injection
42
Medium Risk
This Affects:
wayflowcoreTL;DR
Affected versions of this package allow insecure Jinja template rendering due to insufficient sandbox restrictions, which may permit unintended access to object attributes and sensitive runtime data. This can lead to unauthorized data exposure or server-side template injection (SSTI) when untrusted input is processed within templates. An attacker might exploit this by injecting crafted template expressions that access internal objects, bypass intended data boundaries, or manipulate application logic during template rendering. Upgrading to the stricter SandboxedEnvironment limits access to key-based structures only, reducing the attack surface and preventing unauthorized attribute access.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
wayflowcore is vulnerable to Server-side Template Injection in versions 25.4.1 - 26.0.0.
How to fix this
Upgrade the wayflowcore library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant