CVE-2026-44916
3.0 LOWIn OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing
Published: 2026-05-08 · Last updated: 2026-05-20
Severity and scoring
- CVSS
- 3.0 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
- CWE
- CWE-1336
Description
In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-41065 — Tautulli is a Python based monitoring and tracking tool for Plex Media Server
- CVE-2026-34906 — Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE)
- CVE-2026-42252 — Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `Ba... (9.1 CRITICAL)
- CVE-2026-45697 — Formie is a Craft CMS plugin for creating forms (9.8 CRITICAL)
- CVE-2026-49382 — In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin (4.5 MEDIUM)