banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI
banks <= 2.4.1 uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This is a vulnerability in how banks initializes its Jinja2 environment — not in Jinja2 itself.