HIGH
netbox-community
CVE published 2026-05-04
CVE-2026-29514
A remote code execution vulnerability exists in NetBox versions 4.3.5 through 4.5.4. The RenderTemplateMixin.get_environment_params() method allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize param [truncated]