GHSA-x6m9-38vm-2xhf: Scriban has an authorization bypass due to stale include cache surviving TemplateContext.Reset()

March 24, 2026

TemplateContext.Reset() claims that a TemplateContext can be reused safely on the same thread, but it does not clear CachedTemplates. If an application pools TemplateContext objects and uses an ITemplateLoader that resolves content per request, tenant, or user, a previously authorized include can be served to later renders without calling TemplateLoader.Load() again.

References

github.com/advisories/GHSA-x6m9-38vm-2xhf
github.com/scriban/scriban
github.com/scriban/scriban/security/advisories/GHSA-x6m9-38vm-2xhf

Code Behaviors & Features

Detect and mitigate GHSA-x6m9-38vm-2xhf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →