CVE-2026-44209

HIGH 7.5

Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI

CVSS Score

7.5

EPSS Score

0.2%

EPSS Percentile

36th

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This vulnerability is fixed in 2.4.2.

CWE	CWE-1336
Vendor	masci
Product	banks
Published	May 26, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for masci banks

Be the first to know when new high vulnerabilities affecting masci banks are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

masci / banks

< 2.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/masci/banks/security/advisories/GHSA-gphh-9q3h-jgpp github.com: https://github.com/masci/banks/pull/74