CVE-2026-46439: compliance-trestle Vulnerable to Remote Code Execution via Recursive Server-Side Template Injection (SSTI)
A High severity Server-Side Template Injection (SSTI) vulnerability exists in the trestle author jinja command. The command recursively evaluates rendered templates, allowing an attacker to achieve arbitrary command execution with privileges of the running process by injecting malicious payloads into data fields (such as SSP documents or Lookup Tables).
The vulnerability does not require attacker control of the template itself. Only attacker-controlled input data rendered into a trusted template is required.
This distinction is critical: the template author may only intend to render plain text (e.g., Title: {{ ssp.metadata.title }}), but because of the recursive parsing, the data field itself becomes executable.
The vulnerability is caused by recursive re-compilation and re-rendering of already-rendered output.
References
- github.com/advisories/GHSA-gg2g-p7xc-qqmm
- github.com/oscal-compass/compliance-trestle/commit/247fcce289f60103f3d8e28d8ec51a6986b94fb6
- github.com/oscal-compass/compliance-trestle/commit/7d107b3ac53caca7bde97a6278b23cd739d94525
- github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-gg2g-p7xc-qqmm
- nvd.nist.gov/vuln/detail/CVE-2026-46439
Code Behaviors & Features
Detect and mitigate CVE-2026-46439 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →