PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44209 masci CVE debrief

## Summary A Server-Side Template Injection (SSTI) vulnerability in the Banks LLM prompt templating library (versions prior to 2.4.2) allows remote code execution when user-supplied strings are passed as template arguments to the `Prompt()` constructor. The root cause is the use of an unsandboxed `jinja2.Environment()` for rendering prompt templates. ## Technical Details Banks is a Python library that generates LLM prompts using Jinja2 templating. Prior to version 2.4.2, the library instantiated `jinja2.Environment()` without sandbox restrictions. When applications pass untrusted user input directly as the template string (rather than as template variables), attackers can inject malicious Jinja2 syntax to execute arbitrary Python code on the host system. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates this requires network access, high attack complexity, no privileges, user interaction, but can result in complete confidentiality, integrity, and availability impact. The CWE-1336 classification identifies this as an improper neutralization of special elements used in a template engine. ## Affected Versions - Banks versions prior to 2.4.2 ## Fixed Versions - Banks 2.4.2 and later ## Recommended Actions 1. **Upgrade immediately** to Banks version 2.4.2 or later, which implements proper sandboxing for template rendering. 2. **Review application code** to identify any locations where user-supplied strings are passed as the template argument to `Prompt()` rather than as template variables. 3. **Architectural hardening**: Ensure user input is always passed as template context data, never as the template string itself. 4. **Input validation**: Implement strict allowlisting for any template strings that must be dynamically constructed. 5. **Runtime monitoring**: Deploy application security monitoring to detect suspicious template syntax in inputs. ## Timeline - **2026-05-26**: CVE published and vulnerability disclosed ## References - CVE Record: CVE-2026-44209 - NVD Entry: CVE-2026-44209 - GitHub Security Advisory: GHSA-gphh-9q3h-jgpp - Fix Pull Request: #74

Vendor
masci
Product
banks
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations using the Banks Python library for LLM prompt generation, particularly those accepting user input for template construction

Technical summary

Unsandboxed Jinja2 Environment in Banks <2.4.2 allows RCE when user input is used as template string

Defensive priority

critical

Recommended defensive actions

  • Upgrade to Banks 2.4.2 or later
  • Audit code for user-supplied template strings passed to Prompt()
  • Refactor to pass user input as template variables, not template strings
  • Implement input validation for dynamic template construction
  • Deploy runtime monitoring for suspicious template syntax

Evidence notes

Vulnerability description and fix version derived from official CVE record and GitHub security advisory. CVSS vector and CWE classification from NVD source data. No KEV listing or known ransomware campaign use identified.

Official resources

public